We (a CDC with ITAR reqs and so on) recently got acquired by a large corporation. This group does not usually handle cases like us, those who handle CUI or higher-classification data. As the integration goes forward, they are asking us to open our firewall for them to perform Rapid7 vuln scans on our network, which will populate info like our IP ranges, computer names, active users, and software lists/versions.

Does anyone know if any of this information counts as CDI/CUI/FCI? We can expect that non-US citizens would be able to see the results of the scans. At the very least, I am concerned about exploits being known by employees that do not work directly for my division, as those can be used to gain access to our CUI.