Skip to content

Section · 2 of 5

Scoping.

Define your assessment boundary — which assets are in, which are out, and why every scoping decision either saves you money or creates findings.

Scoping

Scoping is the single most consequential decision in your CMMC journey. Get it right and you assess only what needs assessing — a tight enclave with clear boundaries. Get it wrong and you either over-scope (making compliance unnecessarily expensive) or under-scope (which creates findings during the real assessment when the C3PAO discovers assets you missed).

The scope applies equally to self-assessments and C3PAO certification assessments. The security requirements are identical — the only difference is who does the assessing.

Before the assessment begins, you must define and document your CMMC Assessment Scope — the specific set of assets (people, systems, facilities) that will be evaluated. This is governed by 32 CFR § 170.19(c).

Planning ahead: If you ever plan to pursue Level 3, your Level 2 scoping decisions have consequences. Assets categorized as Contractor Risk Managed at Level 2 get treated as CUI Assets at Level 3 — meaning they face full assessment against all requirements. Think ahead.

Classified assets are never in scope for CMMC, even if they contain CUI.


Every asset in your environment gets placed into one of five categories. Four are in scope. One is out.

CategoryWhat It IsAssessment Treatment
CUI AssetsProcesses, stores, or transmits CUIAll 110 requirements — full assessment
Security Protection AssetsProvides security functions for the CUI environmentRelevant requirements only
Contractor Risk ManagedCan but isn’t intended to handle CUIReviewed via SSP (CA.L2-3.12.4); not assessed against other CMMC practices
Specialized AssetsDefined asset types: Government Property, IoT/IIoT, OT, Restricted Information Systems, Test EquipmentReviewed via SSP (CA.L2-3.12.4); not assessed against other CMMC practices
Out-of-ScopeNo CUI, no security role, physically or logically separatedNot assessed — but be ready to justify

The categories aren’t just labels — they determine how much assessment scrutiny an asset receives and how much work you need to do to secure it. The difference between CUI Asset (all 110 requirements) and CRMA (SSP review) is enormous in terms of cost and effort.


The table above defines the five categories. This is the order to apply them: run each asset through these questions top to bottom, and the first “yes” sets the category. Stop there — don’t keep going.

1. Does it process, store, or transmit CUI?
→ Yes: CUI Asset — all 110 requirements.
↓ No
2. Does it provide a security function for the in-scope environment?
→ Yes: Security Protection Asset — assessed against relevant requirements.
↓ No
3. Could it handle CUI but isn't intended to, per documented risk-based policy?
→ Yes: Contractor Risk Managed Asset — SSP review (CA.L2-3.12.4); not assessed against other practices.
↓ No
4. Is it a defined specialized type — Government Property, IoT/IIoT, OT,
Restricted Information Systems, or Test Equipment?
→ Yes: Specialized Asset — SSP review; not assessed against other practices.
↓ No
5. None of the above — no CUI, no security role, physically or logically separated.
→ Out-of-Scope — no documentation required, but be ready to justify it.

Order matters: a CUI Asset that also runs a security function is still a CUI Asset, because question 1 catches it first.


TopicWhat It Covers
Defining Your BoundaryDrawing the line around your assessment scope
Separation TechniquesLogical and physical separation to reduce scope
External Service ProvidersWhen your vendors, CSPs, and MSPs fall inside your scope
Enclaves & Use CasesEnclave model, inherited controls, FCI+CUI scenarios, Security Protection Data

All topics

Topics in this section.