CMMC Scoping Guide: How to Define Your Level 2 Assessment Boundary

One of the most consequential (and most misunderstood) steps in preparing for CMMC compliance is defining the scope of your assessment boundary. Scope too broadly and you’re burdening your organization with unnecessary controls and cost. Scope too narrowly and you risk leaving Controlled Unclassified Information (CUI) exposure points unaddressed, which can create serious liability under DFARS.

This post explores the key scoping concepts introduced in CMMC Level 2 and the underlying NIST SP 800-171 framework, including how to identify where CUI lives, flows, and is processed across your systems, networks, cloud services, and third-party connections.

Why Scoping Errors Are the Most Expensive  CMMC Mistakes

Before a single control is implemented, your organization must answer a foundational question: what is in scope? The CMMC scoping decision determines which systems, people, technologies, and third-party service providers must satisfy the 110 security requirements in NIST SP 800-171, and ultimately what your C3PAO will evaluate.

Organizations frequently get this wrong in one of two directions. Some draw the boundary too wide, dragging in corporate IT systems that never touch CUI and inflating cost and complexity unnecessarily. Others draw it too narrow, excluding systems that do process or store CUI. The latter creates real legal exposure: DFARS 252.204-7012 obligations apply regardless of what boundary you drew internally.

Important: CMMC assessors are trained to evaluate whether your scoping decisions are defensible. An assessment boundary that conveniently excludes troublesome systems (without documented justification) will receive scrutiny.

What Does “Scope” Actually Mean in CMMC?

The CMMC program inherits its scoping guidance from the CMMC Level 2 Scoping Guide published by the Office of the Under Secretary of Defense for Acquisition and Sustainment. It defines five distinct asset categories.

1. CUI Assets

Systems that process, store, or transmit CUI. They carry the full weight of all 110 NIST SP 800-171 practices and are the core of your assessment scope.

2. Security Protection Assets

Systems that don't handle CUI directly but provide security services that protect CUI assets: firewalls, SIEM platforms, identity and access management systems.

Not all 110 CMMC practices apply to these assets, only those applicable to the specific asset type.

3. Contractor Risk Managed Assets

Assets that can connect to CUI systems but do not process, store, or transmit CUI themselves. Contractors can manage these using a risk-based approach, but must document that decision formally.

4. Out-of-Scope Assets

Systems fully isolated from CUI and CUI systems. True isolation must be verifiable; a conceptual firewall rule is not sufficient.

5. Specialized Assets

Government Furnished Equipment (GFE), IoT devices, operational technology (OT), and restricted information systems each carry specific scoping treatments under CMMC. These are commonly overlooked and frequently become assessment findings.

CMMC Asset Category Summary

The CUI Data Flow: Where Organizations Go Wrong

Most CMMC scoping mistakes originate from an incomplete understanding of how CUI moves through an organization. It is not enough to identify where CUI lives; you must map where it flows.

A rigorous scoping exercise requires a data flow analysis that answers the following questions for every system in your environment:

• Does this system receive, store, process, generate, or transmit CUI at any point?

• Does this system have network connectivity to a system that does?

• Does this system provide security services (logging, authentication, network filtering) that protect CUI assets?

• Is this system managed or accessed by a third party or managed service provider?

• Is this system hosted in a cloud environment, and if so, is that environment FedRAMP-authorized?

Note: CUI often lives in places organizations don't initially consider, such as shared inboxes, collaboration tools like Teams or Slack, ticketing systems, and cloud storage used informally by program management teams.

Cloud Services and External Service Providers

DFARS 252.204-7012 requires that cloud services used to process, store, or transmit CUI meet FedRAMP Moderate baseline requirements or an equivalent. Commercial certifications like ISO 27001 or SOC 2 are not sufficient.

External service providers who access your CMMC environment or manage systems that touch CUI are also within scope. This includes MSSPs, IT managed service providers, and external developers. Each of these relationships must be documented in your System Security Plan.

Network Segmentation: Reducing CMMC Scope Intentionally

Deliberate network segmentation is one of the most effective strategies for managing CMMC scope. By isolating systems that process CUI from the broader corporate network, organizations can credibly reduce what falls under CMMC assessment scrutiny.

To be defensible, segmentation must be:

• Documented with current network diagrams that reflect actual architecture

• Implemented with controls that prevent unauthorized data flows from crossing the boundary

• Monitored continuously to detect drift or unauthorized connectivity

• Validated during the assessment, as assessors will probe boundary controls directly

What Your C3PAO Assessor Expects to See

A CMMC Level 2 assessment begins with assessors reviewing your System Security Plan and associated scoping documentation. Your scoping artifacts should include:

• A complete asset inventory categorized by CMMC asset type

• Current network diagrams showing CUI data flows and boundary controls

• A CUI data flow diagram tracing CUI from ingestion through processing and storage

• Documentation of all external service providers and cloud services in scope

• Written justification for any Contractor Risk Managed or Out-of-Scope designations

• Evidence that CUI categories have been identified using the CUI Registry

C3PAO assessors are actively looking for CUI flows that cross your declared boundary without being accounted for. Inconsistencies between your SSP, network diagrams, and what assessors observe on-site are among the most common sources of findings.

Common CMMC Scoping Mistakes and How to Avoid Them

• Treating email as out of scope. If contract data or CUI-adjacent communications flow through your email environment, that environment is very likely in scope.

• Excluding IT management systems. RMM platforms, patch management systems, and backup solutions that touch CUI systems are security protection assets.

• Assuming commercial cloud equivalency. ISO 27001 and SOC 2 do not satisfy the FedRAMP Moderate requirement for cloud services processing CUI.

• Missing subcontractor data flows. If your subcontractors receive CUI from your systems, that must be reflected in your scoping documentation.

• Outdated network diagrams. Scoping becomes invalid the moment your architecture changes without documentation being updated.

How a CMMC Consulting Engagement Supports the Scoping Process

The scoping process is where the foundational decisions that determine your compliance cost, timeline, and risk exposure are made. It is also where the value of an experienced CMMC consulting partner is most immediately apparent.

A structured scoping engagement includes a systematic review of your IT asset inventory, facilitated interviews with business unit leads and IT staff, analysis of your network architecture and data flows, and production of a scoping report that becomes a direct input to your SSP.

Whether your organization is new to CMMC or revisiting a prior scoping effort that didn't survive scrutiny, getting this step right is not optional. It is the prerequisite for everything that follows.

How Compass IT Compliance Can Help

Compass IT Compliance has guided defense contractors and subcontractors through every stage of the CMMC journey, from initial scoping and gap assessments to remediation support and assessment readiness. Our team understands how CUI actually moves through real-world environments, and we help organizations draw assessment boundaries that are defensible, cost-effective, and built to withstand C3PAO scrutiny. Contact us today to discuss your CMMC scoping questions and find out how we can help you build a compliance strategy that starts on solid ground.