Scoping
Scoping is the single most consequential decision in your CMMC journey. Get it right and you assess only what needs assessing — a tight enclave with clear boundaries. Get it wrong and you either over-scope (making compliance unnecessarily expensive) or under-scope (which creates findings during the real assessment when the C3PAO discovers assets you missed).
The scope applies equally to self-assessments and C3PAO certification assessments. The security requirements are identical — the only difference is who does the assessing.
Before the assessment begins, you must define and document your CMMC Assessment Scope — the specific set of assets (people, systems, facilities) that will be evaluated. This is governed by 32 CFR § 170.19(c).
Planning ahead: If you ever plan to pursue Level 3, your Level 2 scoping decisions have consequences. Assets categorized as Contractor Risk Managed at Level 2 get treated as CUI Assets at Level 3 — meaning they face full assessment against all requirements. Think ahead.
Classified assets are never in scope for CMMC, even if they contain CUI.
The Five Asset Categories
Section titled “The Five Asset Categories”Every asset in your environment gets placed into one of five categories. Four are in scope. One is out.
| Category | What It Is | Assessment Treatment |
|---|---|---|
| CUI Assets | Processes, stores, or transmits CUI | All 110 requirements — full assessment |
| Security Protection Assets | Provides security functions for the CUI environment | Relevant requirements only |
| Contractor Risk Managed | Can but isn’t intended to handle CUI | Reviewed via SSP (CA.L2-3.12.4); not assessed against other CMMC practices |
| Specialized Assets | Defined asset types: Government Property, IoT/IIoT, OT, Restricted Information Systems, Test Equipment | Reviewed via SSP (CA.L2-3.12.4); not assessed against other CMMC practices |
| Out-of-Scope | No CUI, no security role, physically or logically separated | Not assessed — but be ready to justify |
The categories aren’t just labels — they determine how much assessment scrutiny an asset receives and how much work you need to do to secure it. The difference between CUI Asset (all 110 requirements) and CRMA (SSP review) is enormous in terms of cost and effort.
Categorization Decision Flow
Section titled “Categorization Decision Flow”The table above defines the five categories. This is the order to apply them: run each asset through these questions top to bottom, and the first “yes” sets the category. Stop there — don’t keep going.
1. Does it process, store, or transmit CUI? → Yes: CUI Asset — all 110 requirements. ↓ No
2. Does it provide a security function for the in-scope environment? → Yes: Security Protection Asset — assessed against relevant requirements. ↓ No
3. Could it handle CUI but isn't intended to, per documented risk-based policy? → Yes: Contractor Risk Managed Asset — SSP review (CA.L2-3.12.4); not assessed against other practices. ↓ No
4. Is it a defined specialized type — Government Property, IoT/IIoT, OT, Restricted Information Systems, or Test Equipment? → Yes: Specialized Asset — SSP review; not assessed against other practices. ↓ No
5. None of the above — no CUI, no security role, physically or logically separated. → Out-of-Scope — no documentation required, but be ready to justify it.Order matters: a CUI Asset that also runs a security function is still a CUI Asset, because question 1 catches it first.
More Scoping Topics
Section titled “More Scoping Topics”| Topic | What It Covers |
|---|---|
| Defining Your Boundary | Drawing the line around your assessment scope |
| Separation Techniques | Logical and physical separation to reduce scope |
| External Service Providers | When your vendors, CSPs, and MSPs fall inside your scope |
| Enclaves & Use Cases | Enclave model, inherited controls, FCI+CUI scenarios, Security Protection Data |