CMMC Level 2 · Network Architecture · Last reviewed
CMMC Network Segmentation: Requirements, Architecture, and Assessment Evidence
CMMC network segmentation is a way to isolate the systems that handle Controlled Unclassified Information (CUI) from the rest of your network, so the boundary a Level 2 assessment measures is smaller. It is not a named CMMC requirement. It’s an architecture and scoping method you use to satisfy boundary, CUI-flow, and public-system controls — and to reduce how many of your assets an assessor has to evaluate.
You opened your network diagram, saw one flat network with your CUI file server sitting next to the front-desk PC and the shop-floor machines, and asked the only question that matters for your budget: does my whole company have to meet CMMC, or just part of it?
Segmentation is how you make the answer “just part of it.” Done right, it can shrink the assessment from your entire company down to a defined enclave, which is where compliance cost actually lives. But here’s the part most vendors won’t say out loud: it does notwall everything else off automatically, and a badly built boundary can cost you money and still collapse under the assessment. Both of those caveats are the whole reason this page exists — so let’s get them right.
We read the primary sources so you can act on them: 32 CFR Part 170 (the CMMC Program Rule), NIST SP 800-171 Revision 2 (the 110 Level 2 security requirements), the Department of Defense’s CMMC Level 2 Scoping Guide and Assessment Guide, the DoD’s official CMMC Program FAQ, the Cyber AB’s CMMC Assessment Process, and DFARS clauses 252.204-7012, -7019, -7020, -7021, and -7025. Where a claim comes from a rule, we cite the rule. Where it’s our editorial judgment, we say so.
Does network segmentation fit your situation? The 60-second read
Network segmentation is the right primary strategy when your CUI footprint is genuinely narrow and separable, and the wrong one when most of your company already touches CUI. The table below is the fast decision. Everything after it is the proof, the architecture options, and the evidence an assessor will actually test.
| Question | Bottom line |
|---|---|
| Is “network segmentation” a named CMMC control? | No.It’s a method used to satisfy several boundary, flow, and public-system requirements — and to keep your assessment scope small. |
| Can I use logical separation, or do I need physically separate networks? | Logical separation is allowed. Physical separation (an air gap) is one option, not a universal requirement (CMMC Level 2 Scoping Guide). |
| Is a VLAN enough? | A VLAN can be part of the answer — but the label alone proves nothing. The configuration has to actually stop unauthorized transfer, and you have to be able to test it. |
| Does segmentation shrink the CUI boundary to only the CUI enclave? | Not by itself.Security Protection Assets, some Contractor Risk Managed Assets, Specialized Assets, and certain external services can stay in scope even when they sit outside the CUI VLAN (32 CFR § 170.19). |
| Does segmentation reduce the 110 Level 2 requirements? | No. It reduces how many assets are assessed and how each category is treated. Your CUI Assets are still measured against all 110. |
| What actually proves the boundary? | A consistent asset inventory, network diagram, System Security Plan (SSP), approved-flow rules, firewall/ACL configs, logs, and reproducible allowed-vs-blocked tests. |
| When is segmentation the wrong call? | When CUI is everywhere, shared services make the boundary artificial, or staff would constantly work around it. A broader Level 2 environment can be simpler and more defensible. |
Where CMMC stands right now: The 48 CFR acquisition rule took effect November 10, 2025, starting a four-phase rollout defined in 32 CFR § 170.3(e). Phase 1 runs November 10, 2025 through November 9, 2026 and centers on Level 1 and Level 2 self-assessments, though the DoD may require a C3PAO assessment for specific contracts. Phase 2 begins November 10, 2026, when Level 2 C3PAO certification starts appearing as a condition of award for applicable new contracts (though a certification condition may be deferred to an option period). CMMC Level 2 is assessed against NIST SP 800-171 Revision 2— not Revision 3 (CMMC Program FAQ).
Why that last date matters: the fixed deadline is Phase 2 on November 10, 2026, and your network architecture is the first thing that determines how much lead time you need. For a CUI environment, readiness is rarely a matter of weeks. If a Phase 2 contract will require a certified Level 2 environment, the architecture decision on this page is not a “someday” decision.
The right CMMC provider isn’t the same for every contractor.
The category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause — flagged in the solicitation — sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
What does CMMC network segmentation actually require?
CMMC Level 2 contains no requirement titled “network segmentation.” Segmentation is the architecture method you use to satisfy requirements about controlling communications at boundaries, controlling CUI flow, isolating publicly accessible systems, and denying traffic by default — and to justify that certain assets sit outside your assessment scope. Physical or logical separation becomes specifically material the moment you claim an asset is Out-of-Scope (32 CFR § 170.19).
That distinction sounds academic. It isn’t. It’s the difference between buying a firewall and thinking you’re done, versus building a boundary you can prove.
Segmentation is a method — not a product, and not a certification
No firewall, VLAN, microsegmentation platform, secure cloud, or “CMMC-ready” enclave gives you CMMC certification. Your organization earns a CMMC status by meeting and demonstrating the applicable requirements across your assessment scope. A product can help you get there. It cannot get there for you, and any vendor implying otherwise is selling past the truth.
CMMC Level 2 incorporates all 110 security requirements from NIST SP 800-171 Revision 2, organized into 14 families(which the CMMC model calls domains). Segmentation doesn’t shrink that list. And not every in-scope asset is measured the same way: CUI Assets are assessed against all 110 requirements; Security Protection Assets are assessed only against the requirements relevant to the security capabilities they provide; and Contractor Risk Managed Assets and Specialized Assets receive the distinct treatment specified in 32 CFR § 170.19. What segmentation changes is which of your assets land in which category — and how many end up fully in scope.
Scoping questions and security questions are two different things
| The scoping question | The security question |
|---|---|
| Which assets are CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, or Out-of-Scope? | Do the controls you implemented actually work? |
| Can you justify the boundary you drew? | Are approved flows enforced and unapproved flows blocked? |
| Do your inventory, SSP, and network diagram describe the same environment? | Do configs, logs, interviews, and tests back up the documentation? |
Segmentation lives on the left. It answers “what’s in scope.” But every scoping decision you make creates a security-and-evidence obligation on the right — and that’s where boundaries fall apart under assessment.
The one hard truth about segmentation
Here’s the admission most CMMC marketing skips: a badly built boundary is worse than no boundary at all. If you stand up a “CUI VLAN” with no enforced policy between it and the corporate LAN, or you label systems “out of scope” while they still have a live path to CUI, you’ve spent money on separation andyou’ve set yourself up for pain. A defect doesn’t necessarily fail your whole certification — but the affected assessment objectives can be found NOT MET, and a claimed Out-of-Scope treatment can simply be rejected, which expands your scope right back out during the assessment (32 CFR §§ 170.17, 170.19).
Now the hopeful part, because this is very learnable: the requirements are knowable, the architectures are a short list, and the evidence an assessor examines is predictable. Get the architecture right up front and segmentation becomes one of the biggest levers you have for cutting CMMC cost and risk. The rest of this page is the map.
Map your boundary before you buy tools. Answer a few non-sensitive questions about where CUI enters, which services are shared, and how traffic is controlled, and get pointed to the provider category that fits the problem.
Which NIST SP 800-171 Rev. 2 controls push you toward segmentation?
Segmentation isn’t required by name, but a cluster of NIST SP 800-171 Rev. 2 requirements makes it the practical way to comply when you choose a segmented architecture: boundary protection at external and key internal boundaries (3.13.1), a separated subnetwork for public-facing systems (3.13.5), deny-by-default traffic (3.13.6), separation of user and management functions (3.13.3), and control of CUI flow (3.1.3). Remote-access and transmission requirements pull in the same direction. In CMMC these carry a domain-and-level label — for example, SC.L2-3.13.1 means System and Communications Protection, Level 2, NIST requirement 3.13.1.
This is the part of the internet you’d otherwise assemble from a dozen browser tabs. We built it into one table. Below, each requirement is paired with the job it does in a segmented environment, where you actually enforce it, the evidence that proves it, a test you can run yourself, and the “false proof” trap that fails contractors who thought they were fine.
The CMMC Network Segmentation Control → Evidence Matrix
| Authority / requirement | Official requirement (plain-language summary) | Role | Where you enforce it | Evidence a C3PAO can examine | DCR challenge test | The “false proof” trap |
|---|---|---|---|---|---|---|
| 32 CFR § 170.19 | Defines the CMMC Assessment Scope and how each asset category is treated | Scope gate | The CUI boundary and every asset/service relationship | Asset inventory, SSP, network diagram, category rationale, Customer Responsibility Matrix | Pick a sample asset and CUI path; explain why it’s a CUI Asset, SPA, CRMA, Specialized, or Out-of-Scope | Treating the world as just “inside” and “outside” |
| AC.L2-3.1.3 | Control the flow of CUI in accordance with approved authorizations | Core | Firewall, ACL, proxy, secure transfer point | CUI-flow map; source-destination-protocol-port authorization matrix; rules; approvals; logs | Confirm one approved flow works and one unapproved flow is blocked | “The CUI VLAN exists” while broad routing between zones remains open |
| AC.L2-3.1.12 | Monitor and control remote-access sessions | Conditional | VPN, ZTNA gateway, VDI gateway, jump host | Remote-access policy, MFA config, session settings, connection logs | Attempt access with an unauthorized account/device/location; verify denial | Assuming “we have a VPN” proves remote access is controlled |
| AC.L2-3.1.14 | Route remote access via managed access-control points | Conditional | Managed VPN / remote-access gateway | Diagram, client routes, gateway config, approved access points | Try an alternate route that bypasses the managed gateway | An unmanaged side connection reaches the CUI environment |
| AC.L2-3.1.20 | Verify and control/limit connections to and use of external systems | Supporting / conditional | Egress gateway, proxy, firewall, secure exchange service | External-connection inventory, business approvals, destination/protocol rules, logs | Attempt an unapproved external destination or protocol; verify enforcement | Unrestricted outbound traffic because only inbound exposure was considered |
| AC.L2-3.1.22 | Control CUI posted or processed on publicly accessible systems | Conditional | Public/DMZ tier, web publishing workflow, review process | Public-system inventory, content-review process, config | Verify no CUI is reachable on a public-facing system | Assuming public web assets can’t touch CUI without checking |
| SC.L2-3.13.1 | Monitor, control, and protect communications at external and key internal boundaries | Core | Perimeter and internal firewalls, gateways, IDS/IPS | Boundary diagram, config, rule set, monitoring records, review evidence | Send approved and prohibited traffic across a defined boundary; verify control and visibility | A clean-looking diagram with no matching enforcement or monitoring |
| SC.L2-3.13.2 | Apply security-engineering principles and secure architecture | Supporting | Architecture and change-design process | Design rationale, trust-zone model, architecture review, change record | Trace a real CUI workflow and compare it against the documented design | Buying a product without documenting why the design protects the workflow |
| SC.L2-3.13.3 | Separate user functionality from system-management functionality | Supporting | Management network/interface, jump host, privileged-access workstation, PAM | Admin-path diagram, role rules, config, privileged logs | Verify ordinary users can’t access system-management functions; verify management-network separation where used | Separate admin accounts, but an open network path from ordinary endpoints |
| SC.L2-3.13.5 | Place publicly accessible components on subnetworks physically or logically separated from internal networks | Conditional | DMZ, public subnet, reverse-proxy tier | Public-component inventory, DMZ diagram, inbound/east-west rules, logs | Verify a public component can’t initiate an unauthorized path inward | Treating 3.13.5 as the rule for all internal CUI segmentation (it’s about public systems) |
| SC.L2-3.13.6 | Deny network traffic by default; permit by exception | Core | The system boundary and identified points within the system, via managed interfaces | Default-deny config, explicit allow rules with rationale/owner/review date, logs | Send unmatched traffic and verify it’s denied; test each required exception works | Broad any-any rules or an implicit-allow posture |
| SC.L2-3.13.7 | Prevent split tunneling during remote access | Conditional | VPN client and gateway | Client route config, remote-access policy, gateway controls, logs | During a remote session, attempt the competing external path the control blocks | Tunneling the CUI route while leaving an uncontrolled second connection open |
| SC.L2-3.13.8 | Use cryptographic mechanisms — or alternative physical safeguards — to prevent unauthorized disclosure of CUI in transit | Supporting | TLS, IPsec, VPN, secure transfer mechanism | Crypto config, protocol/certificate inventory, FIPS evidence where required | Confirm CUI isn’t observable in plaintext on the tested path | Treating encryption as separation rather than transit protection |
| SC.L2-3.13.11 | Employ FIPS-validated cryptography when used to protect CUI confidentiality | Supporting | Crypto modules across in-scope systems | FIPS validation certificates, crypto configuration | Confirm the modules protecting CUI are FIPS-validated | Assuming “it’s encrypted” satisfies the requirement without FIPS validation |
The official language and the examine-interview-test method come from the CMMC rule, the NIST publication, and the DoD Level 2 Assessment Guide. The connective tissue — roles, enforcement examples, challenge tests, and the false-proof column — is ours, built to turn a list of controls into an architecture you can build and defend.
Why Revision 2 — and why it matters here
Design to the wrong standard and you’ll implement controls that aren’t the ones being assessed. The DoD’s CMMC Program FAQ states plainly that CMMC assessments are conducted against NIST SP 800-171 Revision 2, and that while a company may choose to implement Revision 3, it must still account for the current CMMC Revision 2 baseline until the rule changes through the formal process. Any competitor page telling you Level 2 maps to “800-171 r3” is describing a future that isn’t the assessment reality today.
Is a VLAN enough for CMMC network segmentation?
A VLAN can be a legitimate part of logical separation — but the VLAN label or subnet assignment is not the proof. The question an assessor asks is whether your configuration actually prevents unauthorized transfer, permits only approved flows, produces usable evidence, and survives testing. And one thing is settled: encryption alone does not create the boundary (CMMC Program FAQ).
This is one of the most common points of confusion we see in defense-contractor forums — “Can we use VLANs, or do the networks have to be physically separate?” So let’s answer it precisely.
Logical separation vs. physical separation
The DoD’s Scoping Guide defines both, and the CMMC Program FAQ names the mechanisms that count. Physical separation means no connection at all — wired or wireless. Logical separation means data transfer between physically connected assets is prevented by non-physical means such as firewalls, routers, VPNs, or VLANs. Note that VLANs are explicitly on that list. The catch is the word prevented.
| Method | What it means | Potential CMMC use | Main limitation |
|---|---|---|---|
| Physical separation (air gap) | No wired or wireless connection between environments | Narrow environments needing complete disconnection | Expensive; doesn’t remove the controls that still apply inside the separated environment |
| VLAN only (Layer 2) | Logical separation at the switch level | One component of a boundary | Inter-VLAN routing or trunk misconfig can defeat it entirely |
| VLAN + restrictive ACLs | Logical separation with explicit traffic rules | Potentially defensible when documented, monitored, tested | Stateless or over-permissive rules leave hidden paths |
| VLAN + stateful internal firewall | Segmentation with inspected, logged, default-deny enforcement | Stronger evidence for controlled flows | Rule sprawl and undocumented exceptions undermine it |
| Microsegmentation | Workload-, host-, or identity-level enforcement | Useful in complex or cloud environments | Product complexity and policy drift; not a named CMMC requirement |
| Physical air gap for CUI | Complete disconnection of the CUI environment | Specialized cases | File-transfer, update, and maintenance workarounds create new uncontrolled paths |
Four VLAN scenarios, four verdicts
- VLAN with unrestricted inter-VLAN routing. Verdict: not persuasive evidence of separation. Traffic can move; the boundary is cosmetic.
- VLAN with source/destination ACLs.Verdict: potentially useful — if the rules actually block unauthorized transfer and you can demonstrate it with a test.
- VLAN behind a stateful, default-deny internal firewall. Verdict: this gives you a clear enforcement point and the logs to prove it — a common defensible on-prem pattern.
- VLAN, but shared identity, EDR, SIEM, backup, and administration span it. Verdict: your CUI traffic may be segmented while those shared services remain in scope as Security Protection Assets. Segmentation didn’t fail — but it didn’t shrink scope the way you assumed.
Encryption protects data in transit. It does not draw the boundary.
- Encryption alone does not create logical separation. In the FAQ’s words, logical separation is achieved by non-physical means such as firewalls, routers, VPNs, and VLANs; properly implemented encryption provides confidentiality but does not, by itself, prevent data transfer or enforce a network boundary. If you’re running TLS or IPsec across a flat network and calling those segments “separate,” an assessor won’t agree.
- Once an enclave is otherwise logically separated, encrypted CUI in transit doesn’t automatically drag the transit network into scope. The FAQ confirms that if your enclave is properly separated and CUI is encrypted before it leaves, the enterprise networking components carrying that encrypted traffic don’t have to be pulled into your assessment scope.
Both conditions have to be visible together. Encryption (or, less commonly, an alternative physical safeguard permitted under SC.L2-3.13.8) protects CUI in transit. That is not the same as drawing the boundary.
How does network segmentation change CMMC scope — and what stays in scope?
Segmentation reduces the number of assets assessed and changes how each category is treated — but it does not reduce the 110 Level 2 requirements, and it does not make everything outside your CUI VLAN automatically out of scope. The CMMC Level 2 Scoping Guide sorts every asset into five categories, and shared services like identity, logging, and backup often stay in scope even when they don’t hold CUI (32 CFR § 170.19).
The five Level 2 asset categories, translated for the network
| Category | Relationship to segmentation | What this page needs you to understand |
|---|---|---|
| CUI Asset | Processes, stores, or transmits CUI | Fully inside the CUI workflow; assessed against all 110 Level 2 requirements. Segmentation reduces how many systems land here. |
| Security Protection Asset (SPA) | Provides security functions to the scope (firewall, SIEM, identity provider, MFA, MSSP) | Assessed against the requirements relevant to the capability it provides. Can remain in scope even when it sits outside the CUI VLAN. Your segmentation devices themselves are usually SPAs. |
| Contractor Risk Managed Asset (CRMA) | Can, but is not intended to, handle CUI | Does not have to be separated from CUI Assets. Managed under your risk-based security policies, procedures, and practices. If evidence shows it actually processes, stores, or transmits CUI, it no longer fits the CRMA definition. |
| Specialized Asset | Can handle CUI but is hard to secure conventionally (OT, IoT, GFE, CNC, test equipment) | Documented in the asset inventory, SSP, and network diagram and managed under your risk-based policies. At Level 2, the assessor reviews the SSP and does not assess the Specialized Asset against the other CMMC requirements. |
| Out-of-Scope Asset | No CUI, no protection role, physically or logically separated | This is the goal of segmentation. It’s also the strongest claim an assessor probes — separation has to be technically enforced, not declared. |
Shared services that don’t hold CUI but still land in scope
| Shared service | Likely category | The deciding factor |
|---|---|---|
| Identity provider / SSO | SPA (or CUI Asset if it stores CUI) | Whether it stores CUI; the security function it provides |
| MFA service | SPA | The capability it provides to the scope |
| EDR / antivirus management | SPA | Whether it holds Security Protection Data |
| SIEM / log storage | SPA | What logs/config it holds |
| Backup platform | CUI Asset if backups contain CUI | Whether backups include CUI |
| DNS / DHCP | SPA or CRMA by role | Its actual role relative to CUI systems |
| Privileged admin / jump host | SPA | The admin path and what it can reach |
| Print server / printers | CUI Asset if CUI is printed | Whether CUI is printed or spooled |
| Hypervisor / management plane | SPA (guests may be CUI Assets) | What it hosts and administers |
| MSP / MSSP tooling (External Service Provider) | ESP, assessed within your scope | Whether it handles CUI or Security Protection Data, and which controls it's responsible for |
On that last row, be precise: an MSP or MSSP is an in-scope External Service Provider (ESP) when its services process, store, or transmit CUI or Security Protection Data. The DoD’s CMMC Program FAQ and § 170.19 are explicit that a provider handling neither CUI nor SPD does not meet CMMC’s ESP definition. An MSP is not automatically a Cloud Service Provider, and an ESP is not necessarily required to hold its own CMMC status — its responsibilities are documented in a Customer Responsibility Matrix (CRM) and assessed as part of your scope.
When a remote laptop can stay out of scope
There is a legitimate path to keep endpoints out of scope, and it’s narrow. Per the Scoping Guide and the current CMMC Program FAQ, an endpoint that accesses CUI through a Virtual Desktop Infrastructure (VDI) may remain out of scope only when the server-side configuration prevents all processing, storage, or transmission of CUI beyond keyboard, video, and mouse; copy/paste, file transfer, drive mapping, local printing, saving, and screenshots are blocked; CUI stays entirely within the session; multifactor authentication to the VDI server is separate from the unmanaged client; only authorized users can connect; access is restricted to allowable locations; and the configuration is verified. If the endpoint can process, store, transmit, print, save, or capture CUI, it becomes a CUI Asset.
Which CMMC segmentation architecture fits your environment?
CMMC doesn’t prescribe one network topology. The right pattern depends on where CUI enters, is processed, stored, transmitted, and printed — and a whole-enterprise design can be simpler than a narrow enclave when CUI and shared services are everywhere. The DoD Level 2 Assessment Guide recognizes that an assessment can cover an enterprise network or one or more enclaves, depending on the scope you define.
| Architecture | Best fit | Scope effect | Can support logical separation? | Controls most implicated | Primary cost / operating-burden drivers | Common failure mode | Likely provider category |
|---|---|---|---|---|---|---|---|
| Flat network (no segmentation) | Almost no one who handles CUI | Every connected system becomes a candidate for the boundary | No separation to rely on | — | Nothing to build upfront; burden lands on assessment scope and evidence | The population under § 170.19 balloons | Readiness partner to re-architect first |
| On-prem segmented CUI zone | Local engineering, file servers, controlled office CUI | Narrows CUI to selected systems | Potentially — only if rules prevent unauthorized transfer and it’s documented and tested | 3.13.1, 3.13.6, 3.13.3, 3.1.3 | Firewall/hardware, configuration, rule administration, evidence upkeep | Shared AD/backup/logging/printers quietly stay in scope | RPO + CMMC-focused MSP/MSSP or network integrator |
| Cloud / VDI enclave | Remote users, document-centric CUI | Can shrink endpoint scope under strict VDI rules | Potentially — with proper logical separation and VDI conditions met | Identity + SC family + inherited controls | Cloud subscription, migration, CRM management, endpoint lockdown | Assuming the cloud “does compliance”; endpoints still in scope unless KVM-only VDI | Enclave provider + readiness support |
| Hybrid (on-prem + cloud) | CAD locally, collaboration in the cloud, remote users | Effective but adds boundary legs | Potentially — each connection must be separated and documented | On-prem boundary controls, cloud controls, identity, remote access, encrypted transit | Duplicate tooling, two control sets, responsibility allocation, evidence across both | “Two compliant halves” that ignore the link, identity, and transfer path between them | RPO + MSP/MSSP with hybrid experience |
| OT / manufacturing segmentation | CNC, CMM, PLC, test equipment, engineering transfer | Can contain office scope while retaining Specialized Assets | Potentially for the boundary; Specialized Assets handled separately | 3.13.1 + Specialized Asset treatment | Industrial firewall, transfer station, OT constraints, legacy devices | Legacy protocols, removable media, vendor access, shared engineering PCs | RPO + implementer with OT/manufacturing experience |
| Whole-enterprise Level 2 | Most staff and systems legitimately touch CUI | Little boundary reduction, but fewer artificial exceptions | Enterprise-wide controls | The relevant requirements applied broadly | Broad implementation footprint; more systems to secure and staff | Trying to bolt on an enclave that doesn’t reflect reality | Readiness/implementation program, not an enclave seller |
On-prem enclave.The cleanest version is a dedicated CUI segment behind a stateful firewall running default-deny, with a separate management path so admins don’t reach the environment from ordinary desktops (SC.L2-3.13.3). If you have public-facing components — a VPN gateway or web portal — those go on a separated subnetwork such as a DMZ (SC.L2-3.13.5). The failure mode usually isn’t the firewall — it’s the shared backup, logging, and identity services that follow CUI home.
Cloud / VDI enclave.Moving CUI into a purpose-built government cloud can materially reduce your on-prem scope when the endpoint and shared-service conditions are met. But “we bought a GCC High or GovCloud tenant” is not a compliance strategy. When an external Cloud Service Provider stores, processes, or transmits covered defense information in performance of a contract containing DFARS 252.204-7012, the contractor must require and ensure FedRAMP Moderate-equivalent protections and the clause’s associated incident-reporting, preservation, and forensic-support obligations. CMMC and DFARS do not mandate Microsoft 365 GCC High or AWS GovCloud by brand — suitability depends on the data, the service, the contract clauses, authorization or equivalency evidence, your configuration, and the division of responsibility.
Hybrid. Two separately compliant environments do not automatically make one defensible environment. The connection between them, the split of responsibilities, the shared identity, the logs, and the data-transfer process all have to be in scope and documented.
OT and manufacturing.This is one of the more complex real-world cases: CNC machines and test equipment that receive engineering data but can’t run modern security tooling. One common pattern is a controlled transfer station and an industrial firewall segmenting the shop floor, with the machines documented as Specialized Assets. Availability and safety constraints are real here — don’t let a compliance design take a production line down.
Whole-enterprise.If your CUI is genuinely pervasive, an enclave can be a brittle fiction with dozens of exceptions to defend. Sometimes the honest answer is to bring the enterprise up to Level 2. We’d rather tell you that than sell you a boundary you’ll fight your assessor over.
Different problems need different providers.A scoping question, a firewall build, a managed cloud enclave, an evidence workflow, and a formal certification assessment are five different engagements — and blurring them is how contractors overpay. See how the categories compare on our CMMC scoping guide.
How do you build CMMC network segmentation, step by step?
Build from the CUI flow outward — not from a firewall inward. Confirm your contractual level and assessment type, map how CUI moves, classify your assets, define trust zones, authorize only the flows you need, test what’s allowed andwhat’s blocked, and make your inventory, diagram, SSP, configs, and logs all describe the same environment.
- Confirm the required level and assessment type. Your solicitation tells you. DFARS 252.204-7025is the solicitation provision where the contracting officer states the required level — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC) — and DFARS 252.204-7021is the contract clause that carries the continuing obligation and flow-down. A checklist can’t tell you your level; the solicitation and contract do. Record the solicitation, the level, the assessment type, and which systems will perform the work.
- Map every CUI touchpoint.Where does CUI enter (email, DoD portals, secure file transfer, supplier uploads)? Where is it processed, stored, transmitted, printed, backed up, and destroyed? Include removable media and shop-floor transfers. This data-flow map is the backbone of your SSP and your diagram — and it’s what surfaces the systems you forgot.
- Classify assets before you finalize the boundary. Use the five-category model above. Get this wrong and every downstream decision inherits the error. (Full logic on our scoping guide.)
- Define trust zones and enforcement points. Typical zones: internet, DMZ/public, corporate, guest, CUI user, CUI server, management, security tooling, remote access, OT, printers, backup, external provider. Every boundary between zones needs a named enforcement point.
- Build the approved-flow matrix.For each permitted flow, document source, destination, direction, protocol, port, business purpose, the CUI relationship, the control it supports, the owner, the approval, and the log source. If a flow isn’t on the matrix, it shouldn’t be allowed.
- Implement deny-by-default, permit-by-exception.The DoD Level 2 Assessment Guide’s illustrative example for SC.L2-3.13.6 describes a firewall between the CUI environment and other networks, deny-all rules, only the required outbound traffic permitted, testing of required services, a comment or rationale on every rule, and regular rule review. Use that as a DoD illustrative example of how one organization couldsatisfy the requirement — not as a prescribed architecture or a port list to copy.
- Separate public, admin, and remote-access paths. Place publicly accessible components on a physically or logically separated subnetwork; a DMZ is one common implementation (SC.L2-3.13.5). Separate user functionality from system-management functionality; a jump host or privileged-access workstation is one possible implementation (SC.L2-3.13.3). Route remote access through managed access points (AC.L2-3.1.14), and disable split tunneling (SC.L2-3.13.7).
- Instrument the boundary.Define log sources and destinations, the events you capture, who reviews them, alert conditions, retention, and time synchronization. A boundary with no visibility is a boundary you can’t prove.
- Run positive and negative tests.This is the step people skip in an informal plan, and it’s the one that turns a diagram into evidence. Prove an approved application flow succeeds. Then prove the unapproved cases fail: unapproved source, unapproved destination, unapproved port, a general workstation reaching a management interface, a public server initiating an inbound connection, a remote bypass path, a split-tunnel attempt, and a VDI attempting to copy or print. Verify that prohibited paths fail and that expected monitoring or logging operates where logging is part of your boundary-protection and evidence design. A boundary you’ve tested both ways is a boundary you can defend.
- Reconcile every artifact. Line up the asset inventory, network diagram, CUI-flow diagram, SSP, firewall config, remote-access config, ESP/CSP Customer Responsibility Matrix, logs, test results, policies, and change tickets. When these disagree, the discrepancy can trigger scope questions, a permitted CRMA limited check, rejection of an Out-of-Scope treatment, or a NOT MET finding against an affected objective.
- Assign change ownership.Name the rule owner, the technical owner, the information owner, the approving official, and the evidence owner, and set a review cadence and an emergency-change process. Segmentation is not a project you finish. It’s a state you maintain.
The Firewall Rule Authorization and Segmentation Test Worksheet
This is The Defense Compliance Report’s source-derived boundary-evidence template — built from the artifacts assessors consistently ask to see. It is not a CAP-prescribed form or a certification guarantee; the exact evidence an assessment team selects depends on the objectives, your implementation, and their sampling. Use one row per flow, and capture these fields:
Source trust zone · Destination trust zone · Source asset category · Destination asset category · Direction · Protocol and port · Business purpose · Authorized CUI flow (yes/no) · Related CMMC requirement · Firewall/ACL rule ID · Rule owner · Approving person · Approval date · Review date · Expiration date · Logging source · Positive test result · Negative test result · Change-ticket reference · Last verified date.
Fill it in as you work through Steps 5, 6, and 9 and you’ll have assembled most of your boundary evidence as a byproduct. An editable copy of this worksheet is forthcoming on our templates page.
What should a CMMC network diagram show?
A CMMC network diagram should make your assessment boundary and enforcement points understandable: the defined boundary, in-scope asset categories, external and key internal connections, CUI flows, security services, remote and cloud paths, and the enforcement points that make claimed separation real. The rule requires the applicable in-scope asset categories to be documented in the network diagram, but it does not mandate one icon per endpoint (32 CFR § 170.19).
We recommend three coordinated layers, because trying to show everything on one page produces a diagram nobody can follow — including an assessor:
- Layer 1 — Scope overview: the CMMC boundary, major trust zones, external connections, provider relationships, and facilities.
- Layer 2 — CUI flow: where CUI enters, is processed, stored, transmitted, output, printed, and transferred to suppliers, plus backup.
- Layer 3 — Enforcement and administration: firewalls, ACLs, remote-access gateways, the administrative path, identity, logging, and monitoring.
You can group identical assets — same baseline, same role, same zone, same policy treatment — as long as the individual detail lives in your asset inventory. Watch for the anti-patterns that draw assessor scrutiny: one box labeled “CUI enclave” with no internal detail, a missing cloud or remote path, missing shared identity and logging, no arrow direction, no enforcement point, a diagram that disagrees with the firewall config, or “out of scope” assets drawn with unrestricted connections.
What drives the cost of CMMC network segmentation?
There’s no single price, and anyone quoting one without seeing your environment is guessing. Segmentation cost is driven by the shape of your CUI problem, not a fixed line item — which is exactly why architecture decisions made early have such an outsized effect on the total.
The honest cost drivers: the number of distinct CUI workflows, your current security maturity, how many shared services touch CUI, the number of enforcement points you need, your endpoint model (managed devices vs. locked-down VDI), whether you’re migrating to a cloud enclave, OT and Specialized Asset constraints, the size of your evidence gap, staffing, and the cost of operatingthe boundary over time — rule review, testing, and documentation don’t stop after go-live. For a broader picture of what a Level 2 program costs end to end, see our CMMC Level 2 cost guide. The single biggest cost lever most contractors control is the one on this page: a smaller, well-drawn boundary means fewer systems to license, harden, monitor, and prove.
What evidence will a C3PAO examine and test?
Before a Level 2 certification assessment reaches its evidence-gathering phase, the C3PAO validates your assessment scope and confirms enough evidence will be available; scope disagreements are resolved first. During the assessment, assessors examine documents and configurations, interview the people responsible, and test boundary mechanisms — so a diagram with no reproducible technical evidence behind it is weak. This reflects the Cyber AB CMMC Assessment Process (CAP v2.0).
| Evidence item | What it should establish | Likely assessment method | Potential concern |
|---|---|---|---|
| Scope narrative | Why the boundary is drawn where it is | Examine / interview | Generic text unrelated to your actual data flow |
| Asset inventory | Every asset, owner, category, location, role | Examine / sample | Systems on the network that aren't in the inventory |
| Network diagram | Boundaries, zones, connections, security services | Examine / interview | Missing shared services or external paths |
| CUI-flow map | How CUI legitimately moves | Examine / interview / test | CUI reaching undocumented systems |
| Flow authorization matrix | Business justification for allowed traffic | Examine / test | Rules with no owner or purpose |
| Firewall / ACL export | The actual enforcement | Examine / test | Rules broader than documented; undocumented exceptions |
| Rule-review record | Ongoing governance | Examine / interview | Stale rules, no reviewer |
| Boundary logs | Visibility and enforcement | Examine / test | Logs inaccessible where logging is part of the design |
| Positive test records | Required business functions work | Examine / test | Controls break the workflow |
| Negative test records | Unauthorized paths fail | Examine / test | Prohibited paths succeed |
| Remote-access config | Managed access, MFA, routing, monitoring | Examine / test | A bypass or split-tunnel path exists |
| VDI config | No local CUI processing/storage/transmission | Examine / test | Clipboard, download, print, or screenshot enabled |
| ESP / CSP Customer Responsibility Matrix | Who's responsible for which control | Examine / interview | Controls unassigned or assumed |
| Change records | Architecture and evidence are current | Examine / interview | Diagram or SSP predates a major change |
The three methods, in plain terms: examine your documents, configs, and logs; interview your network admins, security staff, system owners, users, and any ESP personnel; and testthe technical mechanisms at the boundary using both permitted and prohibited traffic. And a safety note the CAP is firm about: don’t share CUI electronically during virtual evidence collection unless both sides are using conforming Level 2 environments.
Readiness help and formal assessment must stay separate — and there’s a hard rule here
This is the single most important trust-and-money rule on the page, and it’s more than a “grade your own homework” cliché. Under 32 CFR § 170.8(b)(17)(ii)(G), CMMC Ecosystem members are prohibited from participating in the Level 2 certification assessment process for an assessment in which they served as a consultant to prepare that organization for any CMMC assessment within the prior three years. The Cyber AB’s Code of Professional Conduct (v2.0) confirms this prohibition applies to the C3PAO as an organization and to every member of its assessment team, and it covers any preparatory or advisory work for any type of CMMC assessment.
Separately, the CAP bars a C3PAO, its assessment team, and affiliated personnel from providing remedial or implementation advice after an adverse readiness determination and then resuming that same suspended assessment. A C3PAO also cannot guarantee your outcome, and the assessment team cannot speculate about the likelihood of success during readiness determination. If a conflict can’t be sufficiently mitigated, the C3PAO must not proceed.
The practical takeaway: this is not a lifetime ban, but it is broader than “don’t fix problems mid-assessment.” Keep your readiness/implementation engagement and your certification assessment appropriately separated, and confirm conflict status in writing before you sign anything.
If that evidence table exposed gaps — missing configs, no negative tests, unclear ownership — your next engagement is readiness and implementation, not a certification assessment. Keep those roles distinct and you’ll avoid paying a C3PAO to discover problems a readiness partner should have fixed first.
When is network segmentation the wrong answer?
Segmentation is the wrong primary strategy when most of your enterprise legitimately handles CUI, when shared services make the proposed boundary artificial, or when staff would have to bypass the boundary to do normal work. In those cases a broader Level 2 environment can be simpler to operate and defend — whether it’s cheaper depends on your actual scope, current maturity, shared services, and workflow.
Here’s the boundary-fit judgment we’d apply, criterion by criterion — no score, no threshold, just the factors that actually move the decision:
- Breadth of legitimate CUI access. The more users who genuinely need CUI, the weaker the case for a narrow enclave.
- Number of shared Security Protection Assets. Heavy shared identity, logging, backup, and administration pull scope outward no matter how tight the CUI VLAN is.
- Required cross-boundary exception paths. Every routine exception is another thing to justify and test; a dozen of them is a signal.
- Local printing and output needs. Widespread printing of CUI expands scope and complicates a clean boundary.
- OT and Specialized Asset dependency.Manufacturing and engineering-transfer workflows add complexity that a simple office enclave can’t contain.
- Remote-access model. A workforce that must handle CUI locally is a different problem than one that can live inside a locked-down VDI.
- Whether the ordinary workflow can operate without routine bypasses. If people have to route around the boundary to get work done, the boundary won’t hold up.
Choose a segmented enclave when CUI has a genuinely narrow workflow, a limited group needs access, entry and exit points can be controlled, and you can actually operate the boundary day to day. Choose strict VDIonly when the workflow tolerates blocking local copy, download, printing, transfer, and screenshots — it may be unworkable for CAD or shop-floor drawing work. And use physical isolation only when the operational case justifies the patching, transfer, and maintenance overhead it creates.
The honest summary: segmentation carries its own configuration, documentation, testing, and exception-management burden. That burden is worth it when your CUI workflow is genuinely narrower than your enterprise. When it isn’t, a smaller boundary is just a bigger argument with your assessor.
Who should design, implement, operate, and assess a segmented environment?
Scoping advice, implementation, managed operations, GRC software, and formal assessment are five different services. An RPO or qualified readiness resource helps resolve scope; an MSP/MSSP or enclave implementer builds and runs the controls; a GRC platform supports the evidence workflow; and an authorized C3PAO conducts the certification assessment. The Cyber AB’s impartiality and conflict-of-interest rules apply across those relationships.
| What you need | Provider category | Trigger for this category | What it should do | What it does not establish |
|---|---|---|---|---|
| Determine likely scope and readiness path | RPO / RP or qualified readiness consultant | Scope is unresolved | Map CUI, classify assets, identify gaps, build the plan | Does not issue a Level 2 certificate |
| Build and operate network controls | CMMC-focused MSP, MSSP, or network integrator | The boundary must be built and run | Configure boundaries, identity, endpoints, logging, remote access, testing | Does not determine contractual applicability |
| Manage the evidence and compliance workflow | GRC platform (with CMMC templates) | SSP, evidence, and change management need structure | Track controls, host evidence, manage POA&Ms, support the SSP | Does not assess or certify |
| Conduct the formal Level 2 certification assessment | Authorized C3PAO | A C3PAO assessment is required or you want the certificate | Examine, interview, and test against the 110 requirements and assessment objectives | Does not guarantee the outcome or serve as a readiness consultant within the prior three years |
| Interpret disputed contract language | Qualified federal-contracts attorney | The contract language is in dispute | Provide legal interpretation | Does not design or operate your environment |
A note on verification: when a firm’s C3PAO or RPO/RP designation is material to your decision, confirm its current status in the Cyber AB Marketplace — and confirm it again on the day you engage, because status changes. MSPs, MSSPs, enclave providers, and GRC vendors are not automatically required to hold a Cyber AB designation; verify only the designation that’s material to the service you’re buying, and don’t read Marketplace presence as a Cyber AB endorsement.
The CMMC Path Frameworkmaps a contractor’s required CMMC level, FCI or CUI handling, assessment type, IT and cloud environment, and contract timeline to the provider category it needs. It routes to a category, not a named provider, and it is not a score, ranking, certification prediction, or compliance advice.
Get matched to the role you need — not the first company that sells “CMMC.” Tell us your required level, your current CUI boundary, your architecture, and your contract timeline, and we’ll point you to the source-checked provider category that fits your next unresolved step.
How do you keep the segmentation boundary valid after implementation?
A boundary stays defensible only while you evaluate and document changes to assets, CUI flows, rules, cloud services, remote access, and shared security tooling. The DoD’s CMMC Program FAQ directs contractors to assess the security and scope impact of relevant changes, update the SSP and supporting artifacts, and determine whether a significant change affects continuing CMMC status — with the affirming official involved.
| Change event | Scope question it creates | Artifacts to update | Tests to rerun | Affirming Official review indicated? |
|---|---|---|---|---|
| New application | Does it touch CUI or a security function? | Inventory, SSP, flow map, rule matrix | Approved + blocked flow tests | If it changes CUI handling or scope |
| New cloud service | Is it an ESP/CSP handling CUI or SPD? | Inventory, CRM, diagram | External-connection + transit tests | If it changes scope |
| New printer | Will it process or store CUI? | Inventory, SSP | Print-path test | If CUI is printed |
| Identity migration | Does the new IdP change the security boundary? | SSP, diagram, CRM | Access-control + remote-access tests | Likely |
| New remote-access method | Does it create a new boundary path? | Remote-access config, diagram | Bypass + split-tunnel tests | If it changes scope |
| Firewall replacement | Do the rules and logging still enforce the boundary? | Rule matrix, config, logs | Full positive/negative suite | If enforcement changes |
| New facility | Does CUI reach a new location? | Inventory, SSP, diagram | Boundary + physical tests | Likely |
| Acquisition | Does it merge networks or add CUI? | Inventory, SSP, diagram, CRM | Full re-scope + tests | Yes |
| Supplier exchange | New CUI in/out path? | Flow map, rule matrix | Transfer-path test | If it changes flows |
| Backup change | Will backups hold CUI? | Inventory, SSP | Restore + access test | If CUI is stored |
| SIEM/EDR change | Does it change a security capability in scope? | SSP, CRM, config | Logging/enforcement test | If SPA role changes |
| OT addition | New Specialized Asset or CUI path on the floor? | Inventory, SSP, diagram | Transfer-station + segmentation test | If it changes scope |
And don’t forget the status side. Level 2 operates on a three-year assessment cycle. When Final status follows a Conditional status, the three-year period runs from the Conditional CMMC Status Date. A Conditional Level 2 (C3PAO) status expires if the permitted Plan of Action and Milestones (POA&M) isn’t successfully closed within 180 days, and an affirming official must affirm continuing compliance at the time of assessment and annually thereafter— a lapse in that affirmation causes the status to lapse (32 CFR § 170.17). A boundary that drifts out of sync with your documentation puts every one of those on shaky ground.
Is my SPRS score the same as CMMC Level 2 status?
No. DFARS 252.204-7019 and -7020 concern the NIST SP 800-171 DoD Assessment score you post in the Supplier Performance Risk System (SPRS). DFARS 252.204-7025 and -7021 concern your current CMMC status, annual affirmation, and the CMMC unique identifier in SPRS. A score of 110 under the DoD Assessment Methodology is notitself a Level 2 CMMC status or a C3PAO certificate. Contractors who assume “we’re already at 110 in SPRS, so we’re Level 2 ready” are conflating two different regimes — worth untangling before a solicitation forces the issue.
What we actually verified
We think a page that tells you what a C3PAO will test should hold itself to the same standard. Here’s our work.
Verified , against the version of each source then current:
- 32 CFR Part 170— §§ 170.3(e) (phases), 170.8(b)(17) (conflict-of-interest and the three-year consultant prohibition), 170.14(c) (Level 2 and Level 3 requirement sets), 170.17 (Level 2 assessment, POA&M closeout, affirmation), 170.19 (scope and asset categories), and 170.24 (scoring), via eCFR.
- NIST SP 800-171 Revision 2 (February 2020, with updates through January 2021) control text for AC 3.1.3, 3.1.12, 3.1.14, 3.1.20, 3.1.22 and SC 3.13.1, 3.13.2, 3.13.3, 3.13.5, 3.13.6, 3.13.7, 3.13.8, 3.13.11; and NIST SP 800-171A (June 2018) for the examine-interview-test method.
- The DoD CMMC Program FAQ— that encryption alone does not create logical separation, that a properly separated enclave doesn’t extend scope to enterprise networking carrying encrypted CUI, the MSP/MSSP-as-ESP treatment, the VDI endpoint conditions, and that CMMC Level 2 is assessed against NIST SP 800-171 Revision 2.
- The CMMC Level 2 Scoping Guide and Level 2 Assessment Guide for the five asset categories, the physical-vs-logical separation definitions, and the illustrative boundary example.
- The Cyber AB CMMC Assessment Process (CAP v2.0) and Code of Professional Conduct (v2.0)for impartiality, the suspended-assessment rule, and the three-year prohibition’s scope.
- DFARS 252.204-7012 (covered defense information and FedRAMP), -7019 / -7020 (SPRS assessment score), -7021 (contract clause), and -7025 (solicitation provision), via Acquisition.gov / eCFR.
- NIST SP 800-172 (February 2021) as the current CMMC-incorporated Level 3 source, and that NIST issued SP 800-172 Revision 3 on May 13, 2026 (which does not become the CMMC baseline without rulemaking).
What’s official vs. editorial synthesis: The asset-category rules, control language, assessment methods, phase dates, status durations, and clause requirements are official. The role labels, the architecture comparison, the challenge tests, the evidence packages, the provider-category routing, the boundary-fit criteria, the change-trigger ledger, and the worksheet are The Defense Compliance Report’s editorial synthesis, built from those verified facts.
What we deliberately left out:universal cost figures and one-size-fits-all timelines, named-provider rankings, “most common finding” claims, certification predictions, and any suggestion that a product or topology guarantees compliance. We didn’t have defensible primary-source data for those, so we didn’t publish them.
This page was written by The Defense Compliance Report Editorial Team. It has not been formally reviewed by a named CMMC advisor. See our editorial standards, methodology, and corrections policy.
CMMC network segmentation FAQ
- Is network segmentation required for CMMC Level 2?
- There is no requirement titled “network segmentation.” It’s a method that may be necessary to satisfy boundary and CUI-flow requirements (such as SC.L2-3.13.1 and AC.L2-3.1.3) and to support an Out-of-Scope Asset claim (32 CFR § 170.19). On a flat network, every connected system becomes a candidate for the boundary.
- Is a VLAN enough for CMMC?
- A VLAN can be one mechanism within a logical-separation design, but the label alone is not evidence. The configured controls have to actually prevent unauthorized transfer, and you should be able to prove it with rules, logs, and testing (CMMC Program FAQ).
- Does CMMC require physically separate networks?
- Not universally. The DoD recognizes both physical and logical separation. An air gap is one valid option, not a blanket requirement (CMMC Level 2 Scoping Guide).
- Does a firewall automatically put my corporate systems out of scope?
- No. Asset category, actual CUI handling, security function, connectivity, and the full architecture determine scope — a firewall is one enforcement point, not an automatic exclusion (32 CFR § 170.19).
- Can encryption keep my enterprise switches and routers out of scope?
- Potentially, but only when the enclave is otherwise logically separated and the enterprise components merely carry properly encrypted CUI in transit. Per the DoD CMMC Program FAQ, encryption alone does not create the boundary.
- Does segmentation reduce the 110 Level 2 requirements?
- No. It reduces how many assets are assessed and how each category is treated. CUI Assets are still measured against all 110 NIST SP 800-171 Revision 2 requirements (32 CFR § 170.14).
- Are identity, SIEM, EDR, DNS, backups, and admin systems in scope?
- They have to be evaluated. A service or asset is in scope when it processes, stores, or transmits CUI or Security Protection Data, or provides a security function or capability to the assessment scope — so many of them are Security Protection Assets even when they don’t store CUI (32 CFR § 170.19).
- Can a remote laptop stay out of scope with VDI?
- Potentially, under strict conditions in § 170.19 and the CMMC Program FAQ: keyboard/video/mouse only, with local copy, transfer, drive mapping, print, save, and screenshots blocked, CUI kept entirely in the session, separate MFA to the VDI server, access limited to authorized users and allowable locations, and the configuration verified. Any local CUI processing turns the endpoint into a CUI Asset.
- Does my MSP or MSSP have to be CMMC certified?
- Not necessarily. An MSP or MSSP is an in-scope External Service Provider when its services process, store, or transmit CUI or Security Protection Data; a provider that handles neither is not a CMMC ESP. An ESP isn’t automatically required to hold its own CMMC status, and its responsibilities are captured in a Customer Responsibility Matrix (CMMC Program FAQ; 32 CFR § 170.19).
- Does every endpoint need its own icon on the network diagram?
- The rule requires the applicable in-scope asset categories to be documented, but it doesn’t prescribe a one-icon-per-device format (32 CFR § 170.19). We recommend grouping equivalent assets visually while keeping individual detail in the asset inventory.
- Is a DMZ required?
- SC.L2-3.13.5 requires publicly accessible components to sit on a physically or logically separated subnetwork. A DMZ is the common implementation, but the requirement is the separation outcome — not a specific appliance (NIST SP 800-171 Rev. 2).
- Does CMMC require GCC High or AWS GovCloud?
- No brand is named as a universal requirement. When an external Cloud Service Provider stores, processes, or transmits covered defense information under DFARS 252.204-7012, the contractor must require and ensure FedRAMP Moderate-equivalent protections and the clause’s other obligations. Whether a specific government cloud is appropriate depends on your data, the service, the contract clauses, authorization or equivalency evidence, and your configuration (DFARS 252.204-7012).
- Does the same scope model apply at Level 3?
- No. Level 3 scoping differs — including different treatment of assets considered Contractor Risk Managed at Level 2 — and CMMC Level 3 currently adds 24 enhanced requirements DoD selected from the February 2021 version of NIST SP 800-172 on top of the Level 2 baseline (32 CFR § 170.14(c)(4)). NIST released SP 800-172 Revision 3 in May 2026, but Revision 3 does not become the CMMC-controlling Level 3 baseline unless DoD amends the program rule. This page is Level 2-focused.
- When should I contact a C3PAO?
- After your scope, SSP, evidence, technical implementation, and test results are mature enough for pre-assessment validation. A C3PAO can’t promise the outcome and must follow the Cyber AB’s impartiality and conflict rules — including the three-year prohibition on assessing an organization it previously helped prepare (32 CFR § 170.8; CAP v2.0). For a comparison of self-assessment vs. C3PAO assessment, see our self-assessment vs. C3PAO guide.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.
Related on The Defense Compliance Report:
CMMC Scoping Guide: Which Assets Are In Scope · CMMC Secure Enclave: Should You Use One? · CMMC Level 2 Cost · Self-Assessment vs. C3PAO · Find My CMMC Path
Primary sources cited on this page (verified ):