CMMC Scope Reduction: How to Shrink Your CMMC Level 2 Scope Without Failing the Assessment
CMMC scope reduction means shrinking the set of people, systems, and service providers that touch Controlled Unclassified Information (CUI) — so fewer of them fall inside your CMMC Level 2 assessment. It does not reduce the 110 security requirements themselves. Under the CMMC scoping rule at 32 CFR 170.19, only CUI Assets— the systems that process, store, or transmit CUI — are assessed against all 110 requirements of NIST Special Publication 800-171 Revision 2.
That last point is where contractors lose money. They picture all 110 controls landing on every laptop, server, and mailbox in the building, get a quote that reads like a ransom note, and either overspend or freeze. Here’s the part nobody told you plainly: the number of controls is fixed, but the number of assets those controls apply to is yours to shrink — legally, and exactly the way the rule contemplates. Below is the whole decision, mapped to the regulation we read line by line.
Can this be out of CMMC scope? The 30-second answer
| Asset or workflow | Out of scope? | Why |
|---|---|---|
| A laptop that downloads or opens CUI | No | It processes or stores CUI — it’s a CUI Asset, assessed against all 110 |
| A VDI/remote-desktop endpoint that can’t store, transfer, print, or copy CUI (only keyboard/video/mouse leaves) | Yes, potentially | 32 CFR 170.19 specifically recognizes this out-of-scope pattern |
| Your SIEM, EDR, or firewall protecting the CUI environment | No | It’s a Security Protection Asset — in scope for the functions it provides |
| A corporate ERP or email system with no CUI and no security role | Potentially | Only if it truly cannot process/store/transmit CUI and is separated from CUI |
| An MSP or MSSP that administers your CUI systems or runs your security tools | Usually in scope | A provider handling CUI or your security data is part of your scope |
| A CNC machine or test rig that handles CUI but can’t be fully secured | In scope as a Specialized Asset | Documented and risk-managed, but not assessed against the other requirements |
| Encrypted CUI sitting on a system | Still in scope | DoD states encrypted CUI is still CUI; encryption is a control, not a boundary |
Not sure where your laptops, email, file shares, and shop-floor systems actually land?
The free CMMC Scope Reduction Worksheetfurther down this page walks you through sorting your environment into the five regulatory categories — no email, no CUI, no contract numbers required. Start there, then decide what to shrink.
What CMMC scope reduction actually means (and why it isn’t a loophole)
CMMC scope reduction is the disciplined practice of confining CUI to the smallest defensible footprint, so fewer assets and people fall inside the assessment boundary. It changes how manysystems must implement and prove the 110 NIST SP 800-171 Rev 2 requirements — not which requirements apply. The scoping rule at 32 CFR 170.19 builds the entire Level 2 assessment around asset categories, which is exactly what makes a smaller, well-drawn boundary legitimate rather than evasive.
Let’s kill the misconception that’s costing the industry money. “CMMC Level 2 has 110 controls” is true. “Therefore I must apply all 110 to my entire company” is not. NIST SP 800-171 itself has said for years that an organization may limit the scope of the security requirements by isolating the system components that process, store, or transmit CUI into a separate environment. The DoD’s own CMMC Level 2 Scoping Guide makes the same point: separation is the mechanism that limits what falls inside the assessment.
This isn’t a gray area we’re stretching. The scoping categories are written into the binding rule, and the government’s own small-business watchdog has pushed for moreof this. In its public comments on the CMMC program, the Small Business Administration’s Office of Advocacy asked DoD for “clear and concise guidance for small business contractors and subcontractors to create enclaves to lessen the burden of compliance” (SBA Office of Advocacy, Feb. 27, 2024). When the SBA is asking for betterenclave guidance, you can stop worrying that shrinking scope looks like cheating. It’s the intended path. The only question is whether you draw the boundary in a way that holds up — which is the rest of this page.
One framing we’ll come back to, because it’s the whole game: scope reduction isn’t about drawing the smallest box. It’s about proving the smallest defensible box.
Why this matters now: Phase 1, self-assessments, and the November 2026 shift
CMMC requirements began phasing into contracts on November 10, 2025, and the clock on third-party assessments is already running. For roughly the first year, DoD’s focus is on Level 1 and Level 2 self-assessments. Beginning , Level 2 third-party assessments become required for applicable contractors handling CUI. A smaller, cleaner scope is what makes that deadline survivable — less to remediate, less to document, less to prove.
Here’s the timeline straight from the primary sources. The revised DFARS clause 252.204-7021 — the contract clause that makes CMMC a condition of award — took effect , which is also when Phase 1 of the four-phase rollout began (32 CFR 170.3(e); DoD CMMC FAQ A-A1). As of that date, applicable contractors are required to complete a Level 2 self-assessmentto verify compliance with NIST SP 800-171 Rev 2; beginning , CMMC Level 2 third-party assessments will be required for applicable contractors (DoD CMMC FAQ B-A2).
That’s not manufactured urgency — it’s the published schedule. And it’s why the scope decision is the first expensive call you make, not the last: every asset you can legitimately keep out of the boundary is one you don’t have to remediate, monitor, evidence, and re-prove every three years.
What’s in scope for CMMC Level 2? The five asset categories (32 CFR 170.19)
For CMMC Level 2, every asset falls into one of five categories defined in 32 CFR 170.19: CUI Assets (assessed against all 110 requirements), Security Protection Assets and the two limited-assessment categories — Contractor Risk Managed Assets and Specialized Assets — and Out-of-Scope Assets (not assessed at all). Which category an asset lands in is decided by whether it touches CUI and how it’s separated, and that decision drives your entire cost and evidence burden. The table below comes straight from the rule’s own Table 3.
We pulled this directly from the current eCFR text of 32 CFR 170.19 (Source: 89 FR 83214, Oct. 15, 2024). The “scope-reduction lever” and “common mistake” columns are our editorial additions, built on the rule.
The CMMC Level 2 Asset-Category Scope-Reduction Matrix
| Asset category | In scope? | What gets assessed | You must document | The scope-reduction lever | Common mistake |
|---|---|---|---|---|---|
| CUI Assets — process, store, or transmit CUI | Yes | All 110Level 2 requirements | Asset inventory, System Security Plan (SSP), network diagram | Minimize the count: consolidate CUI into the fewest assets and fewest users possible | Letting CUI sprawl into commercial email, laptops, and shared drives |
| Security Protection Assets — provide security functions to the in-scope environment | Yes | Only the Level 2 requirements relevant to the capability provided | Inventory, SSP, network diagram | Consolidate security tooling; use authorized managed-security services so fewer of your own assets carry this label | Forgetting your domain controller, firewall, SIEM, or EDR is in scope |
| Contractor Risk Managed Assets — can but are not intended to handle CUI, controlled by policy; not required to be separated from CUI assets | Yes (limited) | SSP review; no full assessmentif documented sufficiently. A limited check is allowed only if your docs raise questions — and it may not materially increase assessment duration or cost | Inventory, SSP, network diagram, risk-based policies and practices | Strong, specific policy documentation keeps these from being fully assessed | Treating them as “out of scope” — they are not; thin documentation that triggers the limited check |
| Specialized Assets — canhandle CUI but can’t be fully secured: IoT, IIoT, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, Test Equipment | Yes (limited) | SSP review; not assessed against the other requirements | Inventory, SSP, network diagram; show they’re managed under risk-based policies | Classify OT, IoT, GFE, and test gear correctly so they aren’t dragged into the full control set | Mislabeling an ordinary endpoint as “specialized” to dodge controls |
| Out-of-Scope Assets — cannot process/store/transmit CUI and provide no security protection for CUI assets; physically or logically separated | No | None | Be prepared to justifythe asset’s inability to touch CUI | Physical orlogical separation; a VDI endpoint that can’t move CUI beyond keyboard/video/mouse is out of scope | Claiming out-of-scope with no defensible boundary; an asset that fits any in-scope category can never be out-of-scope |
A few things to internalize, because they’re where the real decisions live.
Security Protection Assets are the surprise.The DoD Scoping Guide is explicit that a security tool can be in scope even if it never touches CUI. Its example: an external provider running a security information and event management (SIEM) service may be logically separated and may not process CUI, but because the SIEM contributes to meeting your requirements, it’s a Security Protection Asset. Firewalls, vulnerability scanners, EDR, VPN concentrators, mobile device management, and security operations centers all tend to land here. The data those tools hold — your logs, configurations, and alerts — is “Security Protection Data,” and it pulls the tool into scope.
Contractor Risk Managed Assets are not a free pass. People hear “not assessed against the other requirements if documented” and treat the category as a junk drawer for anything they’d rather not assess. The rule is narrower: these are assets that couldtouch CUI but are kept from it by your policies, and they remain inside the Level 2 scope. Sloppy documentation invites a limited check.
Specialized Assets is where manufacturers breathe out. A 1990s CNC controller or a piece of test equipment that can’t run modern endpoint controls isn’t a compliance dead end. If it can handle CUI but can’t be fully secured, you document it, manage it under risk-based policies, and it isn’t assessed against the rest of the control set. That’s a deliberate accommodation for the shop floor.
Here’s the consent ladder for getting this right, and none of it requires a sales call: Step 1, map where your CUI actually lives. Step 2, sort your assets into these five categories. Step 3, pick the architecture that shrinks the in-scope count — and only then bring in the right kind of provider. The worksheet below handles Steps 1 and 2.
Not sure which asset category your systems fall into?
Tell us your level, scope, and timeline and we’ll match you with source-checked readiness providers who can map your boundary before anything else gets bought.
Get matched with scope-first providers →What can legitimately be out of CMMC scope (separation, VDI, and the encryption trap)
An asset is out of CMMC Level 2 scope only when it cannot process, store, or transmit CUI, plays no role in protecting CUI assets, and is physically or logically separated from CUI. “We don’t use it for CUI” is weaker than “it cannot touch CUI.” And separation has a specific meaning in the DoD Scoping Guide — one that rules out the shortcut most contractors reach for first.
Here’s how DoD defines the two kinds of separation (Source: DoD CMMC Level 2 Scoping Guide, v2.13):
- Logical separationhappens when data transfer between physically connected assets is prevented by non-physical means — software or network controls such as firewalls, routers, VPNs, and VLANs.
- Physical separation happens when assets have no connection at all, wired or wireless; data can only move manually, for example by USB drive.
The Scoping Guide is blunt that separation is the lever: by separating assets, the CMMC Assessment Scope can be limited, and effective separation is what lets an asset qualify as out-of-scope.
The encryption trap
This is the one to read twice. Encrypting CUI does not move a system out of scope, and encryption alone does not create logical separation. DoD’s CMMC FAQ states that encrypted CUI remains CUI — it keeps its control designation until the data is formally decontrolled (DoD CMMC FAQ B-A8). And the DoD CMMC FAQ addresses the separation question directly: encryption by itself does not create the logical separation needed to remove a system from scope. You need enforced segmentation that actually prevents CUI from crossing the boundary.
In plain terms: a VLAN tag, a firewall rule, or “it’s all encrypted” is not, by itself, proof of a boundary. An assessor wants to see that data genuinely cannot move from the enclave to the wider environment — enforced, monitored, and documented. A “policy-only” boundary, where the only thing stopping CUI from leaking is a rule in a handbook, fails.
The VDI exception worth knowing
There’s one widely missed, genuinely useful out-of-scope path in the rule. A laptop or desktop that hosts a virtual desktop infrastructure (VDI) client — configured so that no CUI can be processed, stored, or transmitted beyond the keyboard, video, and mouse sent to the VDI — is considered an Out-of-Scope Asset (32 CFR 170.19; DoD CMMC FAQ, Section F). A properly locked-down VDI or browser-only setup can keep your general endpoints outside the assessment, as long as users can’t download, copy, cache, screenshot, or print CUI locally. The moment a laptop can pull CUI down, that exception evaporates and the laptop is back in scope.
Out-of-scope proof checklist
If you want an asset treated as out of scope, be ready to show it meets every line below. Failing any one of them likely puts the asset back in scope.
- It cannot process CUI.
- It cannot store CUI.
- It cannot transmit CUI.
- It provides no security protection for CUI assets.
- It is physically or logically separated from CUI assets.
- It shares no backup that contains CUI.
- It shares no logging or security data that would count as Security Protection Data.
- It has no administrative path into the CUI environment.
- It has no file-transfer, print, download, or clipboard path that could move CUI.
The ways to reduce CMMC scope, compared (enclave, VDI, segmentation, cloud)
The right scope-reduction move depends on where your CUI actually lives. A narrow document workflow may fit a secure-collaboration enclave; an engineering or manufacturing workflow may need VDI, a segmented network, or Specialized-Asset treatment; and a company where almost everyone handles CUI may be better off scoping the whole environment. The enclave approaches are the most common way small and mid-size contractors cut scope, but the boundary has to match reality, not a diagram.
We built the matrix below by combining the asset categories in 32 CFR 170.19, the separation guidance in the DoD Scoping Guide, the External Service Provider rules in the same documents, and the failure modes assessors look for. The provider-category column points you toward who actually does each move — we route by category, not by a name anyone paid to feature.
The CMMC Scope Reduction Evidence Matrix: nine moves mapped to the rule
| Scope-reduction move | Best for | What it can reduce | What stays in scope | Proof you’ll need | Common trap | Provider category |
|---|---|---|---|---|---|---|
| 1. Map your CUI flow before buying anything | Everyone | Stops unneeded systems from being pulled in | Anything that actually handles or protects CUI | CUI data-flow map, asset inventory, contract/marking review | Buying an enclave or GCC High before you know where CUI lives | Readiness / RPO / vCISO |
| 2. Move CUI into a controlled enclave | Small teams, narrow CUI workflows | The general business systems that no longer touch CUI | Enclave systems, identity, logging, security tools, backups | Boundary diagram, access list, data-flow evidence, enforced separation | CUI still leaks to email, downloads, or old shares | Enclave / secure-collaboration + readiness |
| 3. Use VDI/browser-only access | Keeping endpoints out of scope | Local devices that can’t store/transfer CUI | The VDI environment, identity, logs, management plane | VDI config, disabled clipboard/download/print, endpoint posture | Calling a laptop “out of scope” when it can still cache CUI | VDI/enclave + MSP/MSSP |
| 4. Keep CUI out of normal email, ERP, and consumer cloud sync | Companies with accidental CUI sprawl | Corporate email/ERP workflows that no longer carry CUI | The controlled intake/collaboration system | Written CUI-handling rules, technical controls, logs, training records | Users keep attaching controlled drawings in normal systems | Readiness + secure-collaboration |
| 5. Segment an on-prem CUI network | Manufacturers, labs, hybrid shops | Non-CUI networks that are truly separated | The CUI subnet, firewalls, identity, admin workstations, monitoring | Network diagram, firewall rules, segmentation testing | Treating “we have a VLAN” as proof CUI can’t cross | MSP/MSSP + network/security architect |
| 6. Classify adjacent systems as Contractor Risk Managed Assets | Business systems that could touch CUI but are policy-controlled | Avoids treating them as full CUI Assets | They remain in Level 2 scope and must be documented | CRMA inventory, policy, SSP treatment | Assuming they’re out of scope — they’re not | Readiness + MSP/MSSP |
| 7. Treat OT, IoT, GFE, and test gear as Specialized Assets | Shop floors, labs, test environments | Avoids forcing full controls onto assets that can’t take them | They remain in scope and must be documented/managed | Specialized-asset inventory, SSP treatment, risk controls | Calling old equipment “out of scope” when it handles CUI | Manufacturing-aware readiness + OT security |
| 8. Verify the MSP/MSSP/GRC/ESP role before you sign | Any outsourced IT or security | Prevents surprise scope expansion | ESP services, personnel, and security tools can be in scope | Service description, Customer Responsibility Matrix, FedRAMP evidence if a CSP handles CUI | Assuming a SIEM is “outside” because it never stores CUI | MSP/MSSP + readiness |
| 9. Resolve scope before you engage a C3PAO | Level 2 assessment-bound contractors | Prevents delay and scope expansion mid-assessment | The C3PAO validates scope; disagreements must be resolved first | SSP, inventory, network diagram, ESP responsibility matrix | Asking the assessor to design your scope | Readiness first; C3PAO only when ready |
The architectures, side by side
Most contractors are choosing among a handful of architectures. The table compares how each one reduces scope, where it fits, and the failure mode an assessor will probe.
| Architecture | Best for | Reduces scope? | Main scope trap | What assessors verify |
|---|---|---|---|---|
| Secure-collaboration enclave | Few CUI users and files | Yes | CUI leaks to email or local downloads | The boundary is enforced; provider responsibility matrix is documented |
| VDI enclave | Engineering users and endpoints | Yes | Local transfer, caching, printing | Endpoints truly can’t move CUI; the VDI environment meets the controls |
| GCC High / Microsoft 365 Government | Microsoft-heavy CUI | Yes | Assuming the tenant alone “makes you compliant” | Shared-responsibility split; that the rest of your in-scope assets are covered too |
| Azure Government / AWS GovCloud | App and data hosting | Yes | Admin tools, logs, backups, and on-prem links sneak back in | The specific cloud offering used for CUI meets FedRAMP Moderate (or DoD-recognized equivalency); the boundary is real |
| Segmented on-prem network | Manufacturing, labs | Yes | A flat admin or security tier undermines the segmentation | Enforced, monitored separation, documented in the SSP |
| Enterprise-wide Level 2 | CUI everywhere | This isn’t scope reduction | Overpaying when CUI is actually narrow | The whole environment against all 110 |
If you want to go deeper on any one path, we keep dedicated breakdowns of the secure enclave approach, enclave cost, and the GCC High decision.
You’ve seen the levers. The next move is matching one to your level, scope, and timeline — and that’s where a wrong turn gets expensive.
Tell us where your CUI lives and what your environment looks like, and we’ll match you with source-checked provider options — enclave or readiness — that fit. No CUI uploads, no certification guarantees.
Get matched →How MSPs, MSSPs, CSPs, and other ESPs change your scope
External Service Providers (ESPs) — your MSP, MSSP, SIEM vendor, or cloud host — can cut your operational burden, but they can also become part of your CMMC scope. Under 32 CFR 170.19, the test is whether the provider is a Cloud Service Provider (CSP) and whether it processes, stores, or transmits CUI or Security Protection Data. The relationship and the split of responsibilities must be documented in your SSP and in a Customer Responsibility Matrix (CRM).
A cloud that holds your CUI must meet FedRAMP.If a CSP processes, stores, or transmits CUI, the specific cloud service offering used for that CUI must meet the FedRAMP Moderate baseline requirements referenced in DFARS 252.204-7012 (DoD CMMC FAQ, Section E; 32 CFR 170.19, Table 4). This is why general-purpose commercial clouds aren’t sufficient for CUI, and why GCC High, Azure Government, and AWS GovCloud exist. A cloud enclave only reduces your scope if the offering underneath it actually meets that bar — and the shared-responsibility model means you still own the controls the CRM assigns to you.
A provider that handles your security data is in scope — even with zero CUI. A provider can be in scope even when it never sees a single CUI file. Per 32 CFR 170.19, a provider that handles Security Protection Data without CUI has its services assessed as Security Protection Assets. The DoD Scoping Guide’s SIEM example makes the point — a logically separated SIEM that processes no CUI is still a Security Protection Asset, and the data it holds is Security Protection Data. So an MSSP running your security tools, or an MSP with privileged administrative access into your CUI environment, generally lands in scope. “Our MSSP never stores CUI” does not mean “our MSSP is out of scope.”
A provider that touches neither CUI nor security data isn’t an ESP. The rule is equally clear in the other direction: a service provider that processes neither CUI nor Security Protection Data does not meet the CMMC definition of an ESP (32 CFR 170.19, Table 4). Your payroll SaaS or accounting platform, if it touches neither, generally isn’t dragging itself into your CMMC scope. And an ESP that isin scope doesn’t necessarily need its own separate CMMC assessment — its services can be assessed as part of your assessment, though the rule notes an ESP may voluntarily get its own assessment to reduce the effort during yours.
Before you sign with any MSP, MSSP, enclave provider, or cloud platform, get three documents: their service description, their FedRAMP authorization evidence if they’ll handle CUI, and a Customer Responsibility Matrix that states — in writing — exactly which of the 110 requirements they cover and which stay with you. We keep a fuller breakdown on the external service provider requirements page.
Have an MSP, MSSP, SIEM, or cloud provider already in the mix and you’re unsure how they affect your boundary?
We’ll help you identify which provider category should review the shared-responsibility split before you lock in a scope you’ll have to defend.
Get matched with source-checked options →What scope reduction actually cuts — and what it costs
Scope reduction lowers cost by shrinking the number of assets and users that must implement, and continuously prove, the 110 requirements — and the 320 assessment objectives behind them in NIST SP 800-171A. It does not reduce the requirement count. The real driver of your cost is how many assets and people you remove from the boundary.
In its CMMC FAQ, DoD states that the cost of achieving compliance depends on factors including “the complexity of the defense industrial base company’s unclassified network” and the organization’s existing posture (DoD CMMC FAQ A-A2). Network complexity isscope. A simpler, smaller in-scope environment is a cheaper one — that’s the government’s own framing, not a vendor’s pitch.
Here’s the mechanism in one line of math worth understanding. CMMC Level 2 maps one-to-one to the 110 requirements of NIST SP 800-171 Rev 2, organized into 14 control families. Those 110 requirements break down into 320 discrete assessment objectivesin NIST SP 800-171A — the individual things an assessor checks, where every objective must be satisfied for a requirement to count as met. The objective count is fixed. The variable is your asset and user count, because the evidence burden roughly scales as (assessment objectives) × (in-scope assets and users). Cut your in-scope assets from around 60 to around 12, and you remove roughly 80% of the asset dimension of the evidence you have to produce, maintain, and reproduce. Treat that as a planning heuristic, not a quote.
How the 110 requirements distribute across the 14 control families
Source: NIST SP 800-171 Rev 2
| Control family | Requirements | Control family | Requirements |
|---|---|---|---|
| Access Control (AC) | 22 | Maintenance (MA) | 6 |
| Awareness & Training (AT) | 3 | Media Protection (MP) | 9 |
| Audit & Accountability (AU) | 9 | Personnel Security (PS) | 2 |
| Configuration Management (CM) | 9 | Physical Protection (PE) | 6 |
| Identification & Authentication (IA) | 11 | Risk Assessment (RA) | 3 |
| Incident Response (IR) | 3 | Security Assessment (CA) | 4 |
| System & Communications Protection (SC) | 16 | ||
| System & Information Integrity (SI) | 7 |
And the recurring cost most pages skip: CMMC Level 2 and Level 3 assessments are required every three years, with an annual affirmation of continued compliance in the years between (DoD CMMC FAQ C-A1; 32 CFR 170.22). The evidence burden doesn’t hit once — it comes back every cycle. A smaller scope pays you back every three years, not just at your first assessment. We keep current figures on the CMMC Level 2 cost page; what’s universal is that the lever moving your number most is scope.
One clarification we won’t let slide, because vendors blur it: scope reduction doesn’t lower the security you implement inside the boundary. The CUI Assets in your enclave still face all 110 requirements in full; the other in-scope categories get the category-specific treatment the rule lays out. You’re narrowing the environment that must meet the standard — not the standard.
When scope reduction backfires (the part most vendors won’t say out loud)
Scope reduction backfires when your documentation can’t support the boundary you drew — or when you’ve miscategorized assets. Here is what assessors expect to see, straight from the primary sources.
Your SSP has to state your CMMC level and assessment type, describe the boundary, map how CUI flows in and out, list assets by category, document ESP relationships and the shared-responsibility split, and justify your exclusions. Your asset inventory should break cleanly into the five categories, with a justification ready for every out-of-scope asset. Your network diagram has to show the CUI systems, the boundary, identity, logging and SIEM, backups, endpoints, segments, and every ESP connection and data path. A data-flow diagram should trace how CUI enters, moves, leaves, and is destroyed. (Our CMMC Level 2 checklist maps these to the 14 control families.)
Three hard facts from the primary sources that change how seriously you take this:
- No current SSP, no completed assessment.If the SSP requirement (CA.L2-3.12.4) is assessed as “Not Met” because there’s no up-to-date SSP at assessment time, the result is a finding that the assessment could not be completed due to incomplete information and noncompliance with DFARS 252.204-7012 — a “No Score” in the Supplier Performance Risk System (SPRS) (DoD CMMC FAQ C-A10; 32 CFR 170.24).
- You need 80%, and six requirements can never sit on a POA&M. To earn a status, your assessment score divided by the total number of Level 2 requirements must be at least 0.8, and a Plan of Action and Milestones (POA&M) can’t be used for any requirement worth more than one point or for these six, per 32 CFR 170.21(a)(2)(iii): AC.L2-3.1.20 (External Connections), AC.L2-3.1.22 (Control Public Information), CA.L2-3.12.4 (System Security Plan), PE.L2-3.10.3 (Escort Visitors), PE.L2-3.10.4 (Physical Access Logs), and PE.L2-3.10.5 (Manage Physical Access). When a POA&M is allowed, those gaps must be closed within 180 days or the conditional status expires.
- Your boundary is your CMMC UID — and nothing outside it can touch CUI. The assessment boundary for a given CMMC Unique Identifier is documented in your SSP and network diagrams, and DoD is explicit that any company systems notrepresented by the CMMC UID(s) on a solicitation are considered non-compliant and cannot be used to process, store, or transmit FCI or CUI during contract performance (DoD CMMC FAQ C-A5). Your reduced scope defines what you’re actually allowed to use on the contract — so draw it to cover the work.
Will a future change force a re-assessment?
This is a question every contractor asks, and DoD answered it directly in its current FAQ (C-A12). The three-year cycle and annual affirmation are designed to accommodate normal change, and the Affirming Official — the person who carries the legal and contractual risk — decides whether a change is significant enough to require re-assessment. DoD gives three illustrative cases:
- Re-assessment required:a security requirement or assessment objective that was “Not Applicable” (and therefore never assessed) becomes applicable after a change. DoD’s example: adding Wi-Fi to an environment that was certified without it makes the wireless-access controls (AC.L2-3.1.16 and AC.L2-3.1.17) applicable, so a re-assessment is required.
- Not significant:routine maintenance that preserves your posture — patching, or swapping a security tool for a like tool with the same or better capability (DoD’s example: replacing a FIPS 140-2 firewall with a FIPS 140-3 firewall).
- Needs careful evaluation:major functionality changes, a new security design not in your assessed SSP, or anything that reduces support for a requirement. DoD’s example: merging a Windows environment into a Linux environment may continue under the lower of the two statuses if both were assessed — but if the Windows side was never assessed, a re-assessment is required.
The takeaway: design the boundary to last, document changes through your change-management and SSP-update controls, and treat any change that touches a previously-unassessed requirement as a re-assessment trigger.
Which provider category should help with CMMC scope reduction (and the independence rule)
For most contractors, scope should be solved before a C3PAO — a CMMC Third-Party Assessment Organization, the entity authorized by the Cyber AB to conduct Level 2 certification assessments — is ever engaged. Readiness providers, Registered Practitioner Organizations (RPOs), CMMC-focused MSPs and MSSPs, enclave and cloud architects, and GRC/evidence software can design and operate the boundary; a C3PAO comes in when your scope, SSP, and evidence are ready for a formal assessment. There’s a hard rule behind that sequence you need to understand before you sign anything.
The independence rule, stated directly:under the CMMC Code of Professional Conduct (the Cyber AB’s ethics rules for the CMMC ecosystem), a C3PAO — and every member of its assessment team — is prohibited from performing a CMMC certification assessment for an organization it provided consulting, advisory, or preparatory services to, until a three-year prohibition termhas expired. The Code is explicit that this covers any preparatory, advisory, or consulting activity for any type of CMMC assessment, and it applies to the C3PAO as an organization and to its individual assessors (CMMC Code of Professional Conduct v2.0). The practical consequence: don’t hire one firm expecting it to both fix your environment and certify it. Keep readiness and formal assessment as separate engagements with separate firms.
Match your situation to the right category first
| Your problem | First provider category | Not your first call |
|---|---|---|
| “We don’t even know what’s in scope” | Readiness / RPO / vCISO | A C3PAO |
| “CUI is everywhere in email and file shares” | Readiness + secure-collaboration/enclave | GRC software alone |
| “We need someone to run the environment” | CMMC-focused MSP/MSSP | A C3PAO |
| “We need evidence and continuous-compliance workflows” | GRC/evidence platform + readiness | An assessment-only firm |
| “We’re implemented and ready to certify” | A C3PAO (verify status on the Cyber AB Marketplace) | A firm that did your implementation |
A note on software, because it’s oversold: a GRC or evidence-management platform is a supporting layer, not a CMMC solution by itself. No tool implements your controls, separates your network, or makes you compliant on its own. It helps you organize evidence and operate the program — useful, but not a substitute for the architecture and the controls.
Vendor red flags to walk away from
If a provider says any of these, slow down — several describe things that are prohibited or impossible:
- “Guaranteed certification.” (No one can guarantee a CMMC outcome.)
- “Our architecture is Cyber AB-approved” or “DoD-approved enclave.” (Neither body endorses commercial products this way.)
- “You won’t need an SSP.” (You will; without it you get no score.)
- “GCC High means you’re CMMC compliant.” (It’s one piece of scope, not certification.)
- “Everything outside the enclave is automatically out of scope.” (Only if it’s genuinely separated and CUI-free.)
- “We’ll implement your environment and assess it too.” (That’s the conflict of interest the rules forbid.)
- “Just encrypt the CUI and those systems drop out of scope.” (Encrypted CUI is still CUI.)
Need to get the provider category right before you spend on anything?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options by category — readiness, MSP/MSSP, enclave, GRC, cloud, or assessment — without ever treating a C3PAO like a remediation vendor.
Get matched →Your free CMMC Scope Reduction Worksheet
Before any sales call, work these three steps. It’s the same sequence a good readiness provider runs on day one — and doing it yourself first means you walk in with your real footprint instead of a blank page.
Step 1 — Map where CUI lives today. Write down every place CUI is created, received, stored, processed, or transmitted: email, file shares, employee laptops, ERP/PLM, cloud apps, backups, printers, shop-floor or test systems, and any subcontractor exchange. If you can’t yet get clear answers on what counts as CUI, that’s your first task — pin it down with your contracts and markings.
Step 2 — Sort each asset into a category. Using the matrix above, label every asset: CUI Asset, Security Protection Asset, Contractor Risk Managed Asset, Specialized Asset, or Out-of-Scope. For each “Out-of-Scope” call, confirm it passes the out-of-scope proof checklist above.
Step 3 — Pick your scope-reduction move. If CUI is narrow and containable, an enclave (collaboration, VDI, or cloud) is likely your lever. If it’s woven through the company, plan for whole-environment readiness. Either way, list what your SSP, inventory, and network diagram will need to document.
Worked through your footprint and ready to act on it?
Get matched with source-checked enclave or readiness options for your level, scope, and timeline.
Get matched →A real example: getting the compliance path right pays off
We hold case studies to a high bar — real, attributable, and primary-sourced. One that qualifies comes from NIST’s own Manufacturing Extension Partnership (MEP) program. In a NIST-published success story, electronics manufacturer Veethree worked with the FloridaMakes Network, part of the MEP National Network, which provided cybersecurity-compliance training and information that supported the company in securing a government account (Source: NIST MEP Success Story, “CMMC Assessment Helps Save Jobs and Sales”).
We’re deliberately careful with what we claim here: this is one company’s documented experience working with a government-affiliated MEP center, not a promise of a typical result. It illustrates a point the whole industry keeps relearning — getting the right help to figure out your compliance path and scope is what turns CMMC from a deal-breaker into a renewed contract. MEP centers can be a useful starting resource for manufacturers, though availability, cost, and the depth of cybersecurity services vary by center and program.
What we verified for this article
We don’t ask you to take our word for the regulatory claims above. Here’s exactly what the editorial team read, and when.
- We read 32 CFR 170.19 (CMMC scoping)in the current eCFR text and reproduced the Level 2 asset categories from its Table 3 (Source: 89 FR 83214, Oct. 15, 2024).
- We read 32 CFR 170.21 (POA&M requirements)and confirmed the 0.8 scoring threshold and the six requirements ineligible for a POA&M, and 32 CFR 170.24 (scoring methodology) and 170.22 (affirmations).
- We read the DoD CMMC Level 2 Scoping Guide (DoD CIO, v2.13, September 2024) for the definitions of logical and physical separation, the SIEM-as-Security-Protection-Asset example, and the Security Protection Data definition.
- We read the DoD CIO CMMC Program FAQ (Revision 2.3, May 2026) and confirmed the answers on encrypted CUI, encryption-and-separation, the VDI exception, the CSP FedRAMP requirement, the MSP/MSSP treatment, assessment frequency, the SSP “No Score” rule, the November 10, 2026 third-party-assessment date, and the “significant change” guidance.
- We confirmed the three-year consulting-then-assessment prohibition in the CMMC Code of Professional Conduct v2.0 (Cyber AB).
- On NIST: NIST withdrew SP 800-171 Rev 2 on and superseded it with Rev 3, but DoD’s CMMC program continues to assess against Rev 2under a standing class deviation until Rev 3 is incorporated through future rulemaking (DoD CMMC FAQ B-A3). We also confirmed the 320 assessment objectives in NIST SP 800-171A.
- What we did not independently verify:specific vendor cost figures (which is why this page avoids quoting dollar ranges) — confirm those with dated quotes from the providers you’re considering.
This guide is editorial analysis, not legal, contractual, audit, or compliance advice. For decisions that affect a specific contract, confirm scope with a qualified assessor or counsel.
Frequently asked questions
Is CMMC scope reduction allowed?
Yes. Scoping is built directly into 32 CFR 170.19, and the DoD’s CMMC Level 2 Scoping Guide explains the asset categories, out-of-scope treatment, separation, and External Service Provider rules. Scope reduction is allowed when your boundary accurately reflects where CUI is processed, stored, transmitted, and protected.
Does scope reduction reduce the 110 CMMC Level 2 requirements?
No. CMMC Level 2 maps to all 110 requirements of NIST SP 800-171 Rev 2, organized into 14 control families, and that set doesn’t shrink. Scope reduction changes how many assets, people, and systems sit inside the boundary where those 110 requirements must be implemented and proven.
Does encrypting CUI take a system out of CMMC scope?
No. DoD states that encrypted CUI remains CUI and keeps its control designation, and the DoD CMMC FAQ addresses separation directly: encryption alone does not create the logical separation needed to remove a system from scope. Encryption is a security control, not a scoping boundary.
Does a CUI enclave actually reduce CMMC scope?
Yes, when CUI is genuinely confined to the enclave and the boundary is enforced, monitored, and documented. The rest of your environment can then fall outside the assessed scope — but if CUI still reaches email, local downloads, or shared backups, those assets remain in scope.
Can normal laptops be out of scope if users access CUI through VDI?
Potentially. 32 CFR 170.19 says an endpoint hosting a VDI client configured so that no CUI moves beyond keyboard, video, and mouse is considered out of scope. If the endpoint can download, copy, cache, print, or screenshot CUI, it is back in scope.
Are MSPs and MSSPs in scope for CMMC?
They can be. If a provider processes CUI or Security Protection Data, or provides security functions for your assessed environment, it is part of your scope — assessed as part of your assessment, either as services handling CUI or as Security Protection Assets. An MSSP running your security tools is in scope even with no CUI. A provider that touches neither CUI nor Security Protection Data does not meet the CMMC ESP definition.
Is GCC High enough to reduce CMMC scope on its own?
No. GCC High or another government cloud can be a key part of a defensible scope strategy, but your scope still includes users, endpoints, identity, logging, backups, administrators, security tooling, and anything else that processes, stores, transmits, or protects CUI. A compliant cloud is a piece of the picture, not a certification.
Are Contractor Risk Managed Assets out of scope?
No. Contractor Risk Managed Assets are part of the Level 2 assessment scope. If they’re documented sufficiently, they aren’t assessed against the other requirements — but the assessor can run a limited check if your documentation or practices raise questions.
Do Specialized Assets have to meet all 110 controls?
At Level 2, Specialized Assets — such as IoT, OT, Government Furnished Equipment, and test equipment — are documented in your inventory, SSP, and network diagram and managed under risk-based policies. The SSP is reviewed, but they are not assessed against the other Level 2 requirements.
Is CMMC Level 2 based on NIST 800-171 Rev 2 or Rev 3?
Rev 2, for now. NIST withdrew Revision 2 on and superseded it with Revision 3, but DoD’s CMMC program continues to assess against Revision 2 under a class deviation until Revision 3 is incorporated through future rulemaking.
When should I engage a C3PAO?
Engage a C3PAO when your scope, SSP, asset inventory, network diagram, and evidence are ready for a formal Level 2 certification assessment, and verify the C3PAO’s status on the Cyber AB Marketplace. Resolve any scope questions before the assessment begins.
Can the same firm reduce my scope and then certify me?
No, not within three years. Under the CMMC Code of Professional Conduct, a C3PAO and its assessment team are prohibited from certifying an organization they provided consulting, advisory, or preparatory services to until a three-year prohibition term has expired. Keep readiness help and formal assessment as separate engagements with separate firms.
Make your next CMMC decision with less guesswork
Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. Whether your move is an enclave, a segmented network, whole-environment readiness, or you’re already implemented and ready for a C3PAO, the right category of help is the difference between a clean, affordable path and a six-figure detour.
Ready to act on what you’ve read?
We’ll match you with verified CMMC providers — enclave, readiness, MSP/MSSP, GRC, or C3PAO — scoped to your actual environment. No certification guarantees. No pressure to buy before you’re scoped.
Related guides
- CMMC Level 2 cost guide (2026): what defense contractors should actually budget
- CMMC managed enclave: scope reduction and provider options
- CMMC secure enclave: how it works and what it costs
- CMMC enclave cost: what scope reduction actually runs
- GCC High and CMMC: when it’s required and when it isn’t
- CMMC Level 2 checklist (mapped to NIST SP 800-171 Rev. 2)
- CMMC MSP guide: what to look for and what to avoid
- C3PAO directory: how to find and verify authorized assessors
- CMMC external service provider requirements
- FCI vs. CUI: what the difference means for your contract level
- CMMC provider categories explained
- Who to hire first: C3PAO, RPO, MSP, or consultant?
- Best CMMC compliance software: an evidence-first comparison
- Best CMMC consultants: by type and buyer profile
- CMMC readiness checklist (mapped to NIST SP 800-171 Rev. 2)