DoD contracts will include CMMC compliance checklist requirements by Q4 2025, and defense contractors must get ready for this most important cybersecurity mandate. The DoD will require more than 80,000 defense contractors to pass independent third-party assessments to keep their contract eligibility.
CMMC 2.0 brings the most important updates to the original framework with new changes that keep security standards strong. Organizations that handle Controlled Unclassified Information (CUI) must implement all 110 NIST SP 800-171 controls for CMMC Level 2 compliance. On top of that, it needs certification from an independent third-party assessor to maintain contract eligibility.
This piece walks you through everything in the CMMC assessment process for CUI protection. You’ll learn proven strategies to define your assessment boundary and categorize assets based on the CMMC scoping guide. The right separation techniques will help optimize your compliance work. These steps will prepare you for both self-assessment and certification assessment scenarios that share the same security requirements.
Understanding the Role of Scoping in CMMC Level 2
Scoping builds the foundation of CMMC Level 2 compliance. It stands as the vital first step before implementing any security controls. Scoping helps identify which parts of your organization’s environment need protection and assessment for cybersecurity compliance. This process determines which assets fall within your CMMC assessment boundary. It creates a map of where CUI exists, who has access, and how it’s secured.
Why scoping is critical for CUI protection
Your organization’s success in protecting sensitive information depends on proper scoping. Organizations that “follow the data” (specifically CUI) learn about how this information connects with people, processes, workflows, devices, and components throughout their environment. This complete understanding helps target protection of your most sensitive assets.
Effective scoping needs a multi-faceted approach:
- Asset Identification: Cataloging all physical devices, software, and data repositories where CUI is handled
- Data Flow Mapping: Creating detailed maps showing how CUI moves within your organization and beyond
- Risk Assessment: Regular evaluations reveal vulnerabilities and guide scope adjustments
- Segmentation: Network isolation separates sensitive information from less critical network areas
- Policy Enforcement: All employees must understand CUI handling requirements
Organizations face serious challenges without accurate scoping. A poorly defined CUI boundary leads to immediate assessment failure. Small oversights can have major consequences. An employee viewing CUI via email on their phone puts that device in-scope. Printing CUI brings that printer within scope.
Scoping needs regular review and adjustment. Your organization must reassess its scope with new contracts with CUI, system changes, organizational shifts, or new CUI workflows.
Impact of scoping on assessment cost and duration
Your defined CMMC assessment scope affects both the cost and complexity of your compliance experience. Poor boundaries could put your entire network and business operations under assessment scope. This situation can make protection costs rise beyond reasonable limits.
Asset categorization affects assessment scope and costs significantly. Wrong categorization wastes resources through over-scoping or causes assessment failure through under-scoping. Understanding asset categorization according to the CMMC Scoping Guide optimizes your compliance efforts.
Smart CUI scoping saves costs and resources. A smaller, accurate CUI boundary needs less effort to achieve CMMC compliance. A visual data flow diagram maps data movement through your organization. This helps your assessor verify that everything within established boundaries stays protected.
Well-defined scope reduces audit complexity. Good segmentation minimizes both audit complexity and cost. Organizations can limit security requirements by isolating CUI processing components in a separate security domain.
Scoping affects both the original assessment and ongoing compliance maintenance. Regular scope audits help adjust to changes in operations or threat landscape. This maintenance keeps your compliance status valid as your environment changes.
Smart scoping helps organizations improve their security posture, protect CUI effectively, and maintain CMMC compliance without excessive spending.
Defining the CMMC Assessment Scope per 32 CFR § 170.19
A clear understanding of your CMMC Assessment Scope definition is vital for compliance success. The Department of Defense outlines these requirements in 32 CFR § 170.19. This regulation provides the framework to determine what your assessment needs to cover.
Assessment scope vs. system boundary
The CMMC Assessment Scope and system boundary are two different concepts that many organizations mix up. The CMMC Assessment Scope is “the set of all assets in the OSA’s environment that will be assessed against CMMC security requirements”. You need to define this scope before any assessment starts, regardless of Level 1, 2, or 3.
A system boundary usually points to the technical perimeter of an information system. The Assessment Scope goes beyond that. It has all assets that need review during a CMMC assessment based on their CUI interaction. This scope includes technical systems, people, processes, and external service providers that work with CUI.
Your scope depends on where your CUI goes – specifically where you process, store, or send it within your environment. This data-focused approach means your scope might cross several system boundaries as CUI moves through your organization.
Level 2 assessments look at these specific asset categories:
| Asset Category | Description | Assessment Requirement |
| CUI Assets | Assets that process, store, or transmit CUI | Assessed against all Level 2 security requirements |
| Security Protection Assets | Assets providing security functions to the OSA’s Assessment Scope | Assessed against relevant Level 2 security requirements |
| Specialized Assets | Assets like IoT devices, OT systems, and GFE that may handle CUI but are sort of hard to get one’s arms around | Reviewed in SSP but not assessed against all requirements |
| Contractor Risk Managed Assets | Assets that can but aren’t intended to access CUI | Documented but not fully assessed if properly risk-managed |
Out-of-Scope Assets can’t process, store, or transmit CUI and don’t provide security protections for CUI.
Documentation required for scope definition
You need proper documentation to define your assessment scope clearly. Organizations seeking Level 2 certification must prepare these key documents according to 32 CFR § 170.19:
- Asset Inventory – A complete list of all in-scope assets including CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, and Specialized Assets
- System Security Plan (SSP) – This document shows how you manage and protect each asset category
- Network Diagram – A visual map of the CMMC Assessment Scope that shows all in-scope assets and their connections
Your network diagram should label all CUI Assets clearly and show how CUI moves in and out of each asset. This visual helps assessors understand your environment and check your protection measures.
These documents help assessors during pre-assessment activities and aid scoping discussions. They need to match your current environment exactly, and you should update them when changes happen.
Level 1 self-assessments don’t need as much documentation as Level 2. But if you handle CUI, you must meet all Level 2 documentation requirements.
Start preparing your documentation well before your assessment. Creating these documents often helps you find gaps in your CUI environment knowledge. This process can help refine your scope and might make your assessment less complex.
A well-defined scope and proper documentation ensure your CMMC assessment focuses on the right systems. This approach can reduce your assessment costs while keeping sensitive information secure.
Categorizing Assets in the CMMC Scoping Guide
Image Source: Totem Technologies
A successful CMMC assessment relies heavily on proper asset categorization. The CMMC Scoping Guide has five distinct asset categories that shape documentation needs and assessment scope. Learning about each category will help you optimize compliance efforts and keep security protections intact.
Controlled Unclassified Information (CUI) Assets
CUI Assets are at the heart of your CMMC Level 2 assessment. These assets handle CUI directly through tasks like accessing, editing, creating, or printing sensitive information. File servers with technical drawings, workstations used to access CUI, and cloud storage with CUI contract details are common examples.
Your asset inventory must list these assets, and your System Security Plan (SSP) needs to detail them. Network diagrams should clearly show CUI data flow. These assets face evaluation against all 110 CMMC Level 2 security requirements that come from NIST SP 800-171.
Security Protection Assets and Security Protection Data
Security Protection Assets (SPAs) safeguard your assessment scope, whether or not they handle CUI directly. These assets implement security controls that protect your CUI environment, even from separate physical or logical locations.
You’ll typically find these SPAs:
- Firewalls and boundary devices
- Authentication servers and identity management systems
- Security Information and Event Management (SIEM) platforms
- Anti-virus management servers
Security Protection Data (SPD) consists of information these assets store or process, such as settings, logs, vulnerability data, and login credentials. SPAs need assessment against relevant CMMC requirements because attackers could exploit this data if compromised.
Contractor Risk Managed Assets (CRMAs)
CRMAs can handle CUI but don’t because of security policies and practices in place. Unlike CUI Assets, CRMAs don’t need evaluation against all 110 CMMC controls if you document them well.
Here are some examples:
- File servers sharing networks with CUI systems
- Admin workstations that can access CUI systems
- Devices connected to virtual desktop infrastructure
Assessors start by reviewing your SSP for CRMAs. Good documentation of risk management practices means no more assessment needed. Otherwise, they might do quick spot checks to find issues without adding much time or cost.
Specialized Assets: IoT, OT, GFE, and Test Equipment
Specialized Assets can work with CUI but resist standard security methods. This group includes:
- Government Furnished Equipment (GFE): Government-owned or leased equipment
- Internet of Things (IoT)/Industrial IoT: Connected devices with sensors like smart building systems
- Operational Technology (OT): Systems that interact with physical environments, like industrial controls
- Restricted Information Systems: Systems following government security rules
- Test Equipment: Hardware used to test products or components
Your SSP must document these assets, but they usually don’t face all CMMC requirements. Level 3 assessments might use intermediate devices to provide security features these specialized assets can’t handle directly.
Out-of-Scope Assets and justification requirements
Out-of-Scope Assets can’t handle CUI and don’t protect CUI Assets. These assets need physical or logical separation from your CUI environment to qualify as out-of-scope.
Any asset that fits an in-scope category can’t be out-of-scope. You’ll need to explain why these assets can’t handle CUI, either because of boundaries you’ve set up or built-in limitations.
Virtual Desktop Infrastructure (VDI) clients get a special pass. They can be out-of-scope if they’re set up to prevent local CUI storage or processing beyond basic keyboard/video/mouse interactions, even with network connectivity.
This knowledge of categories will help you apply your CMMC compliance checklist effectively while protecting your entire environment.
Implementing Separation Techniques to Limit Scope
Separation techniques are powerful tools in your CMMC compliance strategy. They help you isolate CUI environments and can reduce your assessment burden. The CMMC Scoping Guide sees separation as a system architecture design concept that isolates assets. This applies to systems that process, transmit, or store CUI from those that don’t.
Logical separation using VLANs and firewalls
Logical separation happens when software or network technologies block data transfer between physically connected assets. This lets organizations keep physical connectivity while setting clear boundaries around CUI environments.
Logical separation needs these key parts:
- Virtual Local Area Networks (VLANs) – Create separate network segments within your physical infrastructure to isolate CUI traffic
- Firewalls and boundary devices – Enforce traffic rules between network segments and control information flow
- Virtual Private Networks (VPNs) – Establish secure tunnels for remote access to CUI environments
- Network routers – Direct traffic between segregated network sections
A resilient logical separation needs both technical controls and supporting administrative measures. Organizations can create distinct CUI security domains through properly configured subnetworks with firewalls and information flow controls. This helps maintain simplified processes.
Physical separation and air-gapped systems
Physical separation is the strictest form of isolation. It happens when assets have no wired or wireless connections between them. Data moves only through manual transfer in physically separated environments—usually with removable media like USB drives.
Organizations with sensitive CUI might need:
- Dedicated hardware for CUI processing
- Separate network infrastructure
- Physical access controls (gates, locks, badge access)
- Air-gapped systems with no network connectivity
Physically separated systems give robust protection but create operational challenges. They can affect workflow efficiency and usability. All the same, contractors handling sensitive information might need this approach to meet CMMC compliance requirements.
Examples of effective scope reduction
The right separation techniques can reduce your CMMC assessment scope by a lot. To name just one example, see these practical uses:
Organizations with different business units can separate DoD contract work from commercial contracts. Commercial unit employees who can’t access CUI assets stay outside the assessment scope, along with their systems.
Departments like finance or HR that rarely touch engineering content with CUI can work separately. These departments stay outside assessment boundaries even with shared resources like timekeeping applications if proper separation exists.
An enclave—either on-premise or in the cloud—works well for organizations where few people handle CUI regularly. This method protects sensitive information and workflows while reducing the effect on the organization.
Book a Readiness Call with our CMMC experts to find the best separation techniques for your environment. Our team will help you choose between logical or physical separation strategies that support compliance while minimizing business disruption.
Note that effective separation needs regular upkeep and verification. Testing ensures your separation controls stay effective as your environment changes, helping you stick to your CMMC compliance checklist.
Scoping Considerations for External Service Providers (ESPs)
External relationships make your CMMC assessment scope more complex. Many organizations work with third-party providers for IT and security functions. Yet they find it hard to understand how these relationships affect their compliance obligations.
FedRAMP requirements for CSPs handling CUI
Cloud Service Providers (CSPs) that process, store, or transmit CUI must meet FedRAMP Moderate baseline requirements under DFARS 252.204-7012. This rule has been active since 2017 and independent CMMC audits now verify compliance.
FedRAMP groups cloud services into three impact levels—Low, Moderate, and High. These levels consider three security objectives: Confidentiality, Integrity, and Availability. Moderate Impact systems are right for environments where security breaches could cause serious problems. About 80% of CSP applications with FedRAMP authorization fall into this category.
The DoD requires non-FedRAMP authorized CSPs to show “100% compliance” with FedRAMP Moderate security controls. They need a complete Body of Evidence with system security plans, security assessment reports, and penetration test results from a FedRAMP-recognized third-party assessment organization.
Customer Responsibility Matrix (CRM) documentation
A Customer Responsibility Matrix (CRM) is a vital document that describes security responsibilities between your organization and service providers. A well-laid-out CRM for cloud-based Security Protection Assets helps speed up the assessment process.
The CRM splits control responsibilities into three groups:
- Common Controls: Shared between you and your provider
- Inherited Controls: Fully managed by your provider
- System-Specific Controls: Your responsibility alone
Your organization must still implement and maintain many controls, even with a FedRAMP-authorized cloud provider. The CRM helps you identify which of the 110 CMMC Level 2 requirements are yours and which belong to your provider.
ESP vs. CSP vs. MSP: What’s in scope?
You need to know the difference between provider types to scope accurately:
External Service Provider (ESP): Any third party offering information system services that might process, store, or transmit CUI or Security Protection Data.
Cloud Service Provider (CSP): An external company that provides cloud services through a model that enables on-demand network access to configurable computing resources.
Managed Service Provider (MSP): A company that manages IT infrastructure without hosting its own cloud platform. MSPs use cloud offerings to deliver services but aren’t classified as CSPs.
Scoping requirements change based on how providers work with your organization. MSPs become CSPs when they own the cloud tenant and divide it for customer use. This means they must meet FedRAMP requirements. However, MSPs stay as MSPs when they just configure your subscribed cloud service.
CSPs that handle CUI need FedRAMP authorization. Other ESPs fit into your assessment scope as either CUI Assets or Security Protection Assets. This depends on their function and the data they can access.
Using Enclaves to Isolate CUI Workflows
Image Source: Summit 7
CUI enclaves provide a practical solution to minimize CMMC assessment scope. An enclave represents “a set of system resources that operate within the same security domain and share the protection of a single, common, and continuous security perimeter”.
Best timing to implement a CUI enclave
Companies get the most value from enclaves if their CUI handling stays limited to specific operations. Setting up an enclave makes perfect sense if sensitive data touches just a small part of your business—as little as 10% in some cases. This setup works best for companies that can isolate their CUI workflows. Companies with CUI spread across teams and departments might find full compliance more practical than enclave isolation.
Inherited controls vs. local implementation
A properly set up enclave allows control inheritance, letting the enclave provider handle certain security requirements rather than local implementation. The organization’s System Security Plans (SSPs) and Customer Responsibility Matrix (CRM) documentation must spell out these relationships clearly. Organizations stay accountable for showing how they implement, document, and manage controls, even with reliable inheritance options.
Reducing scope through architectural segmentation
Smart architectural segmentation in enclaves leads to massive scope reductions. A well-laid-out enclave can secure 20 workstations instead of 200, which means training just 15 people rather than the entire staff. This focused approach brings major cost savings since CMMC expenses directly relate to scope size.
Limiting CUI access to specific employees and devices helps control data flow and prevents scope growth. The moment organizations start creating gaps in the enclave, they risk losing protection and opening paths for data leaks.
Conclusion
CMMC Level 2 compliance is the life-blood of organizations that handle CUI. This piece explores how proper boundary definition affects assessment costs and security effectiveness by a lot. Your compliance burdens can decrease while maintaining resilient protection for sensitive information when you carefully identify and categorize assets according to the CMMC Scoping Guide.
Asset categorization plays a vital role in CMMC assessment preparation. You can implement the required 110 security controls in a targeted way by understanding which systems process, store, or transmit CUI. This focused strategy saves resources by avoiding unnecessary protection for systems that don’t need it.
Separation techniques provide powerful strategies to contain your CUI environment. These methods create clear boundaries that assessors can verify through logical means like VLANs and firewalls or physical isolation for highly sensitive information. Organizations benefit from enclave implementation especially when CUI handling makes up just a small part of their operations.
Clear documentation helps manage relationships with external service providers despite added complexity in compliance efforts. Customer Responsibility Matrices show who owns which security controls, and FedRAMP requirements ensure cloud services meet needed standards.
Of course, CMMC compliance is an ongoing trip rather than a destination. Business operations evolve, new contracts emerge, and CUI workflows change, so your assessment scope needs regular review. You should Book a Readiness Call with certified experts who can help identify the best strategies for your specific environment.
CMMC 2.0 implementation moves forward steadily. Companies with well-laid-out scoping documentation will guide through certification more easily. Those who become skilled at effective scoping now will have an advantage in future DoD contracts while deepening their commitment to cybersecurity against emerging threats.
Key Takeaways
Understanding CMMC scoping is essential for defense contractors preparing for Level 2 compliance, as proper boundary definition directly impacts both assessment costs and security effectiveness.
• Follow the data to define scope: Track where CUI is processed, stored, or transmitted throughout your organization to accurately determine which assets require full CMMC Level 2 assessment against all 110 security controls.
• Categorize assets strategically: Properly classify systems as CUI Assets, Security Protection Assets, CRMAs, or Specialized Assets to optimize compliance efforts and avoid over-scoping that increases costs unnecessarily.
• Implement separation techniques: Use logical separation (VLANs, firewalls) or physical isolation to create clear boundaries around CUI environments, potentially reducing assessment scope by 80-90%.
• Consider CUI enclaves for targeted protection: Organizations where only 10% of operations handle CUI can dramatically reduce scope by isolating sensitive workflows in dedicated enclaves rather than securing entire networks.
• Document external provider relationships: Maintain Customer Responsibility Matrices for cloud services and ensure FedRAMP compliance for CSPs handling CUI to streamline third-party assessments.
Effective scoping isn’t a one-time activity—it requires ongoing review as business operations evolve. Organizations that master scoping now will navigate CMMC certification more efficiently while positioning themselves advantageously for future DoD contracts.
FAQs
Q1. What is CMMC Level 2 compliance and why is it important? CMMC Level 2 compliance is a cybersecurity standard required for defense contractors handling Controlled Unclassified Information (CUI). It’s important because it ensures the protection of sensitive data and is necessary for maintaining eligibility for Department of Defense contracts.
Q2. How does scoping impact CMMC assessment costs? Proper scoping can significantly reduce assessment costs by limiting the number of assets that need to be evaluated. A well-defined scope focuses the assessment on only the necessary systems and processes, potentially saving time and resources during the certification process.
Q3. What are the main categories of assets in CMMC scoping? The main categories of assets in CMMC scoping are CUI Assets, Security Protection Assets, Contractor Risk Managed Assets (CRMAs), and Specialized Assets. Each category has different assessment requirements and impacts on the overall scope of CMMC compliance.
Q4. How can organizations effectively implement separation techniques for CMMC compliance? Organizations can implement separation techniques through logical means like VLANs and firewalls, or physical isolation for highly sensitive information. These methods create clear boundaries around CUI environments, potentially reducing the assessment scope and simplifying compliance efforts.
Q5. What role do External Service Providers (ESPs) play in CMMC compliance? ESPs, including Cloud Service Providers and Managed Service Providers, can significantly impact an organization’s CMMC compliance. It’s crucial to understand their roles, ensure they meet necessary security standards (such as FedRAMP for cloud providers handling CUI), and clearly document responsibilities through Customer Responsibility Matrices.