Why Scoping Is the Most Important Step
Here's the dirty secret of CMMC compliance: the biggest cost variable is not which consultant you hire or which security tools you buy. It's how big your CUI environment is. A company that scopes tightly and builds a well-defined CUI enclave might spend $60,000 on CMMC. The same company, if they put their entire network in scope, might spend $200,000.
Scoping determines how many systems need to be secured, how many people need to comply, how many policies need to be written, and how complex your assessor's work will be. Get it wrong in either direction — over-scope or under-scope — and you pay for it.
Under-scoping is worse. If you miss systems that actually touch CUI, your assessment fails and you have to remediate and go back. But over-scoping is painful in its own way — you're securing systems that don't need to be secured, writing policies for processes that don't involve CUI, and paying assessors to review systems that have nothing to do with your defense work.
Your CUI environment is defined by where CUI flows — not by where your company's IT systems are. Systems that never touch CUI are out of scope. Systems that touch CUI even occasionally are in scope. Follow the data.
The Five Asset Categories
CMMC scoping guidance (from the CMMC Scoping Guidance document published by the DoD) defines five categories of assets. Every asset in your environment falls into one of these categories:
1. CUI Assets
Systems, components, and devices that process, store, or transmit CUI. These are the core of your assessment. All 110 NIST 800-171 controls apply to these assets. Examples: the file server where drawings are stored, the workstations used to open and work with controlled documents, the email system that receives controlled data from your prime, the cloud storage platform for CUI files.
2. Security Protection Assets
Systems that protect your CUI assets but don't directly process CUI themselves. These are in scope because compromising them could compromise your CUI. Examples: your firewall, your VPN concentrator, your EDR management console, your identity provider (Active Directory, Azure AD), your SIEM. Most controls apply to these assets, but the specific implementation may differ from CUI Assets.
3. Contractor Risk Managed Assets
Assets that could connect to or impact your CUI environment but for which you've made a risk-based decision to manage separately — not fully in the CUI environment, not entirely out. You document the risk and your mitigating controls. This category requires careful documentation but allows flexibility for systems that touch the edge of your CUI boundary.
4. Specialized Assets
Industrial control systems (ICS/SCADA), IoT devices, operational technology (OT), test equipment, and other assets that can't practically implement all NIST 800-171 controls because of their nature. You document them, identify what controls they can implement, and describe mitigating measures for controls they can't. CNC machines with network connections for G-code transfer are a common example in manufacturing.
5. Out-of-Scope Assets
Systems that never process, store, or transmit CUI and are not connected to CUI Assets or Security Protection Assets in ways that could affect them. These are simply excluded from your assessment. Your commercial billing system (if isolated from CUI networks), your marketing website, your HR system (if properly isolated) — these might legitimately be out of scope.
Mapping Your CUI Boundary
Defining your CUI boundary is a documentation exercise as much as a technical one. You need to follow the data from its entry point through your organization to understand what's in scope:
- Entry points — Where does CUI enter your organization? Email from primes? Drawing portals? Physical shipments? USB drives? Each entry point is the start of a data flow to trace.
- Processing locations — Where is CUI opened, viewed, edited, or used? Which workstations? Which shared drives? Which applications?
- Storage locations — Where does CUI live at rest? File servers, cloud storage, email archives, local laptop drives, removable media?
- Transmission paths — How is CUI sent internally and externally? Email? File sharing platforms? VPN file transfers? Physical shipments?
- Exit points — Where does CUI go when it leaves your organization? To primes, to government agencies, to subcontractors?
Every system that appears in this map is in scope. Every system that doesn't appear in it can potentially be out of scope.
The Enclave Approach: Why It Saves Money
The most powerful scoping strategy for small defense contractors is the CUI enclave — a defined, segmented portion of your environment where all CUI processing occurs. Everything outside the enclave is out of scope.
Here's a concrete example: a 30-person manufacturer that does both commercial and defense work. Their defense work accounts for 40% of revenue. If they put their entire company network in scope, they're securing 30 workstations, 10 servers, 30 email accounts, and all their business applications. That's expensive.
With an enclave approach, they identify: 8 engineers and machinists who actually touch CUI, 3 servers where CUI files are stored, 1 email domain for CUI communication. The enclave has 8 workstations, 3 servers, and 1 email system in scope. Everything else — the commercial engineering systems, the accounting software, the HR system — is out of scope. Compliance cost drops by more than half.
Over-scoping costs more immediately — you're securing systems you don't need to secure. Under-scoping costs more later — you failed your assessment and have to do it again. The right boundary is the one that accurately reflects where CUI actually flows.
Common Scoping Mistakes
- Putting the entire company network in scope by default — This is the most expensive mistake. Start with a strict CUI boundary and expand only where you have evidence CUI flows.
- Forgetting email — Email is almost always in scope because that's how most contractors receive CUI from primes. Many companies forget to scope their email system and then have to add it later.
- Forgetting backups — Your backup system stores copies of your CUI. If your CUI servers are backed up, the backup system is in scope.
- Not scoping remote access infrastructure — Your VPN, your remote desktop servers, and the devices remote workers use to access CUI — all in scope.
- Assuming cloud services are automatically compliant — Just because your data is in the cloud doesn't mean it's in a compliant cloud environment. FedRAMP authorization is required for cloud services that process CUI.
- Forgetting about printers and copiers — Networked printers and multifunction devices that print or scan CUI are in scope. Most have internal storage.
How Scoping Affects Your Assessment
When a C3PAO assesses you, they start with your System Security Plan (SSP), which describes your CUI environment and what's in scope. They then verify that your scoping is accurate through interviews, technical testing, and evidence review. If they find systems that process CUI but weren't included in your scope, that's a finding — and potentially a significant one.
Assessors also look for scope creep — situations where your scoping claims a narrow CUI environment, but the technical evidence shows CUI is actually flowing to systems you claimed were out of scope. If your "commercial" email account receives CUI from primes, it's in scope whether you scoped it or not.
Our free readiness check asks about your data flows and helps identify what's in scope for your environment. Takes 2 minutes.
Take the Free Readiness Check →Frequently Asked Questions
Physical separation can help establish a boundary, but it's not required and not always practical. Logical separation — network segmentation, access controls, different virtual environments — is equally valid if implemented correctly. A VLAN that prevents CUI systems from communicating with non-CUI systems, with firewall rules enforcing that separation, is a legitimate boundary. Physical separation is often unnecessary and expensive for small contractors.
Only the email accounts that receive, send, or contain CUI need to be in scope. If only 3 of your 20 employees ever receive or send CUI by email, you might be able to create a separate email domain or group for CUI communication (on a compliant platform) and keep the other 17 accounts out of scope. But if all email goes through one server and CUI flows to anyone's account, the entire email system is in scope. You need to audit where CUI email actually goes.
Probably not. An invoice for a defense contract is Federal Contract Information (FCI), not CUI, as long as the invoice doesn't contain controlled technical data. Basic financial information about defense contracts — amounts, dates, line items at a high level — is FCI, which requires Level 1 protection. If your accounting software is isolated from your CUI environment and doesn't contain technical data, it's likely out of scope for Level 2. Confirm with an RPO for your specific situation.
Cloud storage services that hold CUI must be FedRAMP-authorized at an appropriate impact level. Standard SharePoint (Microsoft 365 Commercial) and Google Drive are not compliant environments for CUI — they're FedRAMP-authorized at Moderate, but the standard commercial versions have Terms of Service that preclude their use for CUI. Microsoft 365 GCC High and Google Workspace Government (with appropriate configuration) are compliant alternatives. If you're currently storing CUI in standard SharePoint or Google Drive, that's a gap.
Subcontractors who handle your CUI need their own CMMC compliance — they're not covered by your certification. But from your scoping perspective, the systems and connections you use to share CUI with your sub (email, secure file transfer, shared portals) are in scope for your assessment. You need to document the flow of CUI to your subs and the controls on that flow, even if the sub's own environment isn't part of your assessment.
Get your scope right before you spend a dollar on remediation.
Our free readiness check identifies your CUI environment and shows you what needs to be secured — and what doesn't.
Start Free Readiness Check →2 minutes. No email required to see results.
Or see pricing & packages →