Scoping

Scoping is the single most consequential decision in your CMMC journey. Get it right and you assess only what needs assessing — a tight enclave with clear boundaries. Get it wrong and you either over-scope (making compliance unnecessarily expensive) or under-scope (which creates findings during the real assessment when the C3PAO discovers assets you missed).

The scope applies equally to self-assessments and C3PAO certification assessments. The security requirements are identical — the only difference is who does the assessing.

Why This Matters to the Bottom Line

Every asset you can legitimately keep out of scope is one less thing to secure, document, monitor, and pay to have assessed. But every asset you wrongly exclude is a finding waiting to happen — and the assessor will find it.

Before the assessment begins, you must define and document your CMMC Assessment Scope — the specific set of assets (people, systems, facilities) that will be evaluated. This is governed by 32 CFR § 170.19(c).

Planning ahead: If you ever plan to pursue Level 3, your Level 2 scoping decisions have consequences. Assets categorized as Contractor Risk Managed at Level 2 get treated as CUI Assets at Level 3 — meaning they face full assessment against all requirements. Think ahead.

Classified assets are never in scope for CMMC, even if they contain CUI.

---

The Five Asset Categories

Every asset in your environment gets placed into one of five categories. Four are in scope. One is out.

Category	What It Is	Assessment Treatment
CUI Assets	Processes, stores, or transmits CUI	All 110 requirements — full assessment
Security Protection Assets	Provides security functions for the CUI environment	Relevant requirements only
Contractor Risk Managed	Can but isn’t intended to handle CUI	SSP review; limited check only if docs are weak
Specialized Assets	Handles CUI but can’t be fully secured (OT, IoT, GFE)	SSP review; may qualify for Enduring Exception
Out-of-Scope	No CUI, no security role, physically or logically separated	Not assessed — but be ready to justify

The categories aren’t just labels — they determine how much assessment scrutiny an asset receives and how much work you need to do to secure it. The difference between CUI Asset (all 110 requirements) and CRMA (SSP review) is enormous in terms of cost and effort.

---

More Scoping Topics

Topic	What It Covers
Defining Your Boundary	Drawing the line around your assessment scope
Separation Techniques	Logical and physical separation to reduce scope
External Service Providers	When your vendors, CSPs, and MSPs fall inside your scope
Enclaves & Use Cases	Enclave model, inherited controls, FCI+CUI scenarios, Security Protection Data