CMMC Scoping Guide: How to Define Your Level 2 Assessment Scope (Without Cutting Corners)

Q: What is a CMMC scoping guide?

A CMMC scoping guide explains how to define which systems, people, facilities, providers, and assets fall inside your CMMC assessment boundary before an assessment happens. It is the step that comes before writing an SSP, choosing tools, or engaging an assessor, and it is governed by 32 CFR 170.19.

Q: What is included in CMMC Level 2 scope?

CMMC Level 2 scope includes CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, and Specialized Assets. Out-of-Scope Assets must not process, store, or transmit CUI, must provide no security protections for CUI Assets, and must be physically or logically separated from them. These categories are defined in 32 CFR 170.19(c).

Q: What is a CUI Asset?

A CUI Asset processes, stores, or transmits Controlled Unclassified Information. It is documented in your asset inventory, System Security Plan, and network diagram, and it is assessed against all 110 NIST SP 800-171 Revision 2 requirements.

Q: What is a Security Protection Asset?

A Security Protection Asset provides security functions or capabilities to the CUI environment, such as a firewall, identity provider, EDR, or SIEM, even if it never stores CUI itself. It is in scope and assessed against the requirements relevant to the protection it provides.

Q: What is Security Protection Data?

Security Protection Data is the security-relevant data handled by Security Protection Assets, including log data, configuration data, vulnerability findings, and passwords. When an external provider handles your Security Protection Data, that provider is typically pulled into your assessment scope.

Q: Are MSPs and MSSPs in scope for CMMC?

They are in scope when they handle CUI, administer the CUI environment, or process Security Protection Data such as logs and configurations. Per the CMMC FAQ, an MSSP that handles your Security Protection Data is assessed within your scope even if no CUI is sent to it. The provider does not need its own CMMC certification, but document its responsibilities before relying on it.

Q: Are cloud providers in CMMC scope?

If a cloud service processes, stores, or transmits CUI, it must meet the FedRAMP Moderate or higher baseline under DFARS 252.204-7012, through a FedRAMP authorization or documented equivalency, and encrypting the CUI does not remove that requirement. Keep the authorization or equivalency evidence and a customer responsibility matrix.

Q: Does a CUI enclave reduce CMMC scope?

A properly separated CUI enclave can reduce the number of systems in scope by confining CUI to a defined boundary. It does not reduce the Level 2 requirements that apply inside the enclave, and separation must be enforced by real controls; encryption or a VLAN alone is not enough.

Q: Can encryption alone keep my enterprise network out of scope?

No, encryption by itself does not create the logical separation that defines a boundary. However, per the CMMC FAQ, if your enclave is otherwise logically separated, sending properly encrypted CUI across enterprise networking outside the enclave does not, by itself, pull that networking into your assessment scope.

Q: Are CMMC assessments required if we only handle hard-copy CUI?

No. Per the CMMC FAQ, organizations that only handle hard-copy CUI are not required to complete a third-party assessment, though they must still safeguard that CUI. But the moment that CUI is placed on an information system, scanned, photographed, entered, uploaded, printed, or emailed, that system is expected to meet the applicable CMMC assessment requirements before the CUI is placed on it.

The Defense Compliance Report Editorial TeamIndependent CMMC and DIB compliance research

Published: June 16, 2026Last reviewed: June 16, 2026

Editorial research — not formally reviewed by a CMMC Subject Matter Advisor. Verify scope and applicability with a Registered Practitioner before acting.

This article is educational and is not legal, contractual, or compliance advice. CMMC requirements vary by contract, scope, and CUI handling specifics. Consult a CMMC Registered Practitioner (RP/RPO) or qualified attorney before making compliance decisions.

Here’s the good news no one leads with: for most defense contractors in this position, CMMC scope is not your whole company.

This CMMC scoping guideexists to answer the one question that quietly sets the price of your entire compliance program — which of your systems, people, facilities, and providers actually get assessed— before you write a System Security Plan, buy a Microsoft GCC High tenant, sign a managed service provider, or call a third-party assessor. For most contractors handling Controlled Unclassified Information (CUI — sensitive but unclassified government information), the answer is a defined, separable set of assets — not everything in the building.

The trap is in two specific places — your service providers and your “small enclave” — and most pages on the first page of search results skip right past both. We’ll show you exactly where they are, then give you a step-by-step process and a worksheet to map your own boundary. First, find yourself in this table.

If this describes you	Your likely scoping path	What to do next
You handle only Federal Contract Information (FCI), never CUI	Level 1	Confirm FCI-only status — don’t overbuild to Level 2 without a CUI trigger
CUI lives in your email, file shares, ERP, CAD/PLM, endpoints, or SaaS	Level 2 (enterprise or segmented)	Map CUI flow and categorize assets before buying tools
You want to confine CUI to one controlled workspace	Level 2 enclave candidate	Pressure-test identity, admin, logging, backup, and endpoint paths
Your MSP, MSSP, or cloud provider touches CUI or your security logs	ESP / CSP analysis required	Build a provider responsibility matrix before you sign
You have OT, lab/test equipment, GFE, or restricted systems	Specialized Asset analysis	Document the limits — do not casually mark them “out of scope”
Your scope is set and your evidence is mature	Assessment-readiness path	Prepare for the C3PAO’s pre-assessment scope confirmation

What is CMMC scoping, in plain English?

CMMC scoping is the process of deciding which assets fall inside your CMMC Assessment Scope— the defined set of systems, people, facilities, and external services an assessor will evaluate — before any assessment happens. Under 32 CFR § 170.19, the scope must be specified up front, and it covers everything in your environment that processes, stores, transmits, or protectsFCI or CUI. It is not “everything your company owns,” and it is not “only the one folder where CUI sits.”

CMMC, the Cybersecurity Maturity Model Certification, is the Defense Department’s program for verifying that contractors actually meet the cybersecurity requirements already in their contracts. Here’s a reframe worth holding onto before you panic: CMMC does not add new security requirements beyond NIST Special Publication 800-171 and 800-172. It adds verification. Your obligation to protect CUI has existed since the DFARS 252.204-7012 clause took effect years ago. CMMC simply adds a formal, structured way to prove you’re doing it.

Scoping is the mechanism that makes the 110-requirement standard proportional to your actual risk. When contractors describe CMMC as a budget-buster, they almost always haven’t scoped yet — they imagine all 110 controls landing on every laptop, every cloud tenant, every ERP module, every printer, every person. A proper scope limits that surface. You can’t shrink the requirements. You can shrink the footprint they apply to — legally, and by design.

Why scope comes before your SSP, your tools, and your C3PAO

Writing a System Security Plan (SSP — the document that describes how each in-scope system meets the requirements) before you’ve defined scope is like drafting a floor plan before you know where the property lines are. Every downstream artifact — your asset inventory, your network diagram, your SSP, your Plan of Action and Milestones (POA&M), your eventual Supplier Performance Risk System (SPRS) score — is built on top of the boundary you draw. Get the boundary wrong and you rebuild all of it.

It’s common for contractors to spend months hardening systems that never needed it, and just as common for others to sail through a self-assessment only to have a third-party assessor find CUI on a system they swore was out of scope. Both failures trace back to the same root cause: scoping was skipped, or done last.

Who should skip this page

We’d rather route you correctly than waste your time. If you only need the plain definition of CMMC and its levels, start with our overview of what CMMC is. If your scope is already validated and you need the control-by-control build, go to our CMMC Level 2 checklist. If you’re deciding whether a CUI enclave pencils out financially, our CMMC enclave cost breakdown is the better page. And if you need a legal reading of a specific contract clause, talk to counsel — nothing here is legal or contractual advice. Everyone else: keep reading. This is the canonical scoping page, and the next ten minutes will save you weeks.

What’s actually in scope for CMMC Level 2? The five asset categories

For CMMC Level 2, every asset in your environment falls into exactly one of five categories defined in 32 CFR § 170.19(c): CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets. Only CUI Assets are assessed against the full set of 110 security requirements in NIST SP 800-171 Revision 2. The other in-scope categories are documented and reviewed, but assessed differently — and that difference is where the real money is.

This is the heart of scoping, so we’ll define each category the way the rule and the DoD CMMC Level 2 Scoping Guide (Version 2.13, September 2024) define it — then show you the mistake that trips people up.

CUI Assets

A CUI Asset processes, stores, or transmits CUI. Think file servers holding controlled drawings, the laptops people open them on, the email system they travel through, the ERP module that carries controlled technical data. These are the crown jewels of your scope. Each one goes in your asset inventory, your SSP, and your network diagram, and each is assessed against all 110 NIST SP 800-171 Rev. 2 requirements — the full control set, organized into 14 control families and evaluated through the 320 assessment objectives in NIST SP 800-171A (June 2018). The most common mistake:letting CUI sprawl onto personal laptops, consumer cloud storage, and random SaaS tools, which inflates this category — and your cost — without anyone deciding to do it.

Security Protection Assets (and Security Protection Data)

A Security Protection Asset (SPA) provides security functions to your in-scope environment, even if it never touches CUI itself. Your firewall, identity provider, endpoint detection (EDR), SIEM, vulnerability scanner, and privileged-access tooling are all SPAs. Per the rule, SPAs are in scope and are assessed against the Level 2 requirements relevant to the protection they provide— not necessarily all 110. The rule also defines Security Protection Data (SPD): the data those tools handle, such as log data, configuration data, vulnerability findings, and passwords. The most common mistake:assuming your security stack — or your MSP’s security stack — is “out of scope” because it doesn’t store CUI. It isn’t. If it protects the environment, it’s in.

Contractor Risk Managed Assets

A Contractor Risk Managed Asset (CRMA) can process, store, or transmit CUI but is not intended to, specifically because of the policies, procedures, and practices you have in place. Critically, the rule says CRMAs do nothave to be physically or logically separated from CUI Assets. They’re in scope, but they are not assessed against the full requirement set— unless your documentation is insufficient or something raises a question, in which case the assessor can conduct a limited check against the applicable requirements to identify deficiencies. The most common mistake:treating “we don’t intend to put CUI there” as proof. Intent isn’t enough. A CRMA needs documented policy, procedure, and practice support — without it, you invite that limited check.

Specialized Assets

Specialized Assets can process, store, or transmit CUI but can’t be fully secured by conventional means. The rule names them specifically: Internet of Things (IoT) and Industrial IoT (IIoT) devices, operational technology (OT), government-furnished equipment (GFE), restricted information systems, and test equipment. These are in scope, you document them in your inventory, SSP, and network diagram, and the assessor reviews the SSPto confirm you’re managing them with risk-based practices — but they are not assessed against the other Level 2 requirements. Many also qualify as an Enduring Exception: a documented circumstance where full compliance isn’t feasible. No operational POA&M is required for an Enduring Exception, but it must be documented in your SSP. The most common mistake:dumping shop-floor and lab gear into “out of scope” when it should be a documented Specialized Asset — exactly the kind of gap an assessor catches.

Out-of-Scope Assets

An Out-of-Scope Asset cannot process, store, or transmit CUI, provides no security protection to your CUI Assets, and is physically or logically separated from the in-scope environment. All three conditions must hold. Per the rule, these carry no documentation requirements, though you should be prepared to justify why they can’t touch CUI. The most common mistake:claiming “out of scope” on the strength of a VLAN, a folder permission, or encryption alone. None of those, by themselves, create the separation the rule requires. (More on that in the enclave section — it’s the single most expensive misunderstanding in CMMC scoping.)

The CMMC Level 2 Asset Category Matrix

Here’s the whole model in one place, built from the text of 32 CFR § 170.19 and the DoD CMMC Level 2 Scoping Guide so you can categorize an asset in about fifteen seconds.

Asset category	What it is (32 CFR § 170.19)	In scope?	What you document	How it’s assessed	The costliest mistake
CUI Asset	Processes, stores, or transmits CUI	Yes	Inventory + SSP + network diagram + CUI flow	Against all 110 NIST SP 800-171 Rev. 2 requirements	Letting CUI spread onto laptops, SaaS, and shares
Security Protection Asset	Provides security functions/capabilities to the scope; handles Security Protection Data	Yes	Inventory + SSP + diagram	Against the requirements relevant to the protection it provides	Calling your (or your MSP’s) firewall, IdP, EDR, SIEM “out of scope”
Contractor Risk Managed Asset	Could touch CUI but isn’t intended to, due to your policies and practices	Yes (managed by risk)	SSP entry with documented policy, procedure, and practice support	Not assessed in full — a limited check only if documentation is weak or findings raise questions	Treating “we don’t intend to” as proof, with no documentation
Specialized Asset	IoT/IIoT, OT, GFE, restricted systems, test equipment — can’t be fully secured	Yes (limited)	Inventory + SSP treatment + diagram	SSP reviewed; not assessed against the other requirements; may be an Enduring Exception	Marking shop-floor / OT / GFE as out of scope
Out-of-Scope Asset	Can’t touch CUI, protects nothing in scope, and is separated	No	None (but be ready to justify)	Not assessed	Claiming separation with only a VLAN, an ACL, or encryption

► Build your first-pass CMMC scope map

Stop guessing which bucket each system belongs in. Tell us your level, scope, and timeline, and we’ll match you with source-checked readiness providers who will return a draft asset-category list, the artifacts you’ll need to defend it, and your likely next step. No CUI, contract numbers, diagrams, or system details required.

Map your CMMC scope →

CUI or FCI? The question that sets your level — and your scope

Your scope follows your data. Federal Contract Information (FCI) — information generated for or provided by the government under a contract and not meant for public release — generally points to Level 1. CUI — the more sensitive category that includes most controlled technical data — points to Level 2 or higher, depending on what the contract requires. So before you categorize a single asset, settle which type of information you actually handle, because that decision determines how big your boundary even needs to be. For a detailed breakdown of the distinction, see our FCI vs. CUI explainer.

The FCI-only path (Level 1)

If your contract work involves FCI but no CUI, you’re likely a Level 1 contractor. Level 1 covers the assets that process, store, or transmit FCI, requires 15 basic safeguards drawn from FAR 52.204-21, and is met through an annual self-assessment. Specialized Assets aren’t even in the Level 1 scope, and Level 1 has no SSP requirement. The trap here is the opposite of over-scoping: don’t build a Level 2 program on an FCI-only environment just because CMMC sounds intimidating. Confirm the absence of CUI first.

The CUI path (Level 2 and up)

If CUI is present, you’re in Level 2 territory, and your scope expands to everywhere CUI is received, created, edited, reviewed, stored, transmitted, printed, backed up, or shared. This is where the five-category model does its work. The discipline that separates a clean scope from a messy one is simple: map the data, then categorize the assets— never the reverse.

Markings vs. contract language vs. actual content

A question we see constantly: how much weight do markings carry versus the contract and the actual content?Markings matter, but they are not the only signal, and they’re frequently wrong. CUI shows up unmarked, and commercial data gets over-marked. Under the federal CUI program, the agency or originator is responsible for marking or identifying the CUI it shares with a contractor — so when a marking is missing or ambiguous, the right move is to send the question back to the government contracting activity or originator, not to guess. Follow the contract language, the DFARS 252.204-7012 clause, and the nature of the work; treat legacy markers like FOUO, ITAR, and export-controlled as flags that CUI may be present. Then write down your reasoning.

If you can’t tell whether a deliverable, attachment, portal, or drawing is CUI, ask the prime or contracting officer directly — and preserve their answer in your scoping record. That paper trail is what makes a scope defensible rather than merely convenient.

CMMC scope at Level 1 vs. Level 2 vs. Level 3

Scope is defined differently at each CMMC level. Level 1 scopes around FCI Assets and has no SSP requirement. Level 2uses the full five-category model in § 170.19(c) and is assessed against NIST SP 800-171 Rev. 2 (110 requirements across 14 families). Level 3scopes under § 170.19(d), requires a current Final Level 2 status as a prerequisite, adds 24 selected requirements from NIST SP 800-172 on top of the 110, and is assessed by the government’s own Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) — not a commercial assessor.

The level also determines your assessment type, which is assigned in the contract. The four are Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), and Level 3 (DIBCAC). A C3PAO — a CMMC Third-Party Assessment Organization — is an outside firm authorized to perform Level 2 certification assessments. DoD’s regulatory analysis estimates that roughly 35% of affected contractors will need a Level 2 third-party assessment, with most of the rest self-assessing — but which side of that line you fall on is set by the sensitivity of the information in your contract, not by your preference.

One accuracy point most pages get wrong: Rev. 2, not Rev. 3

We’ll flag this plainly because we keep seeing it stated incorrectly: CMMC Level 2 is assessed against NIST SP 800-171 Revision 2 — not Revision 3. NIST published Revision 3 in 2024, and plenty of articles treat it as the new CMMC baseline. It isn’t. Per the DoD CIO’s official CMMC Program FAQ (Revision 2.3, the May 2026 update), the Department has issued a class deviation that keeps Revision 2 as the standard contractors are assessed against until Revision 3 is incorporated into the 32 CFR Part 170 rule through formal rulemaking. Contractors mayadopt Revision 3, but only using DoD’s Organization-Defined Parameters (from the Department’s April 2025 memorandum) and only while closing any Rev. 2-to-Rev. 3 gaps. If a vendor tells you to scope and remediate to Rev. 3 today as the controlling standard, check the date on their page — the baseline is Rev. 2 until the rule changes.

How to scope your environment, step by step

Scoping works best as a short, disciplined sprint, not a six-month architecture debate. Run it in this order: confirm the contract trigger, find your CUI, follow the flow, categorize every asset, then freeze a versioned draft. The single rule that prevents the most expensive errors: start with where CUI lives, not with a list of tools. You propose the boundary; an assessor can challenge a boundary that leaves obvious gaps.

Step 1 — Confirm the contract trigger.What put CMMC on your radar? Pull the solicitation, the subcontract, or the prime’s flow-down notice and identify the DFARS clause, the required CMMC level, and the assessment type. A scope built without confirming the trigger is a scope built on a guess.

Step 2 — Identify your CUI sources. Who sends you CUI, what type, and how does it arrive? Common sources: technical drawings and specifications, controlled technical information, export-controlled project files, DoD emails, customer portals, and subcontractor deliverables. List every inbound channel.

Step 3 — Follow the CUI flow.Trace each source through its whole life: receipt, processing, storage, transmission, sharing, backup, printing, archiving, deletion, and support access. Talk to the people who actually handle it — the engineer who downloads the drawing, the admin who runs the backup, the project manager who emails the prime. Scoping is the practical identification of people, platforms, and pathways, not a theoretical diagram.

Step 4 — Categorize every asset. Now, and only now, tag each system, user, facility, and service as a CUI Asset, SPA, CRMA, Specialized Asset, or Out-of-Scope Asset using the matrix above. Write down why for each one.

Step 5 — Freeze a scope version.Label it like a release: “Scope v0.1 — working draft, based on contracts reviewed through [date], CUI sources reviewed [list], open assumptions [list].” Scope is an operating assumption, not a one-time artifact, and a versioned draft gives you something concrete to validate and update.

What documents do you need to prove your CMMC scope?

A defensible scope is more than a tidy diagram. When an assessor — or a prime, or a customer — questions your boundary, seven artifacts answer the question. The rule and the DoD scoping guide explicitly require documenting your Level 2 asset categories across an inventory, an SSP, and a network diagram; the rest are the practices that keep a scope from collapsing under scrutiny.

Artifact	Why it matters	What “good” looks like
Contract / flow-down review log	Tells you whether FCI, CUI, Level 1, Level 2 self, Level 2 C3PAO, or Level 3 is in play	Solicitation, subcontract, DFARS clause, assessed level, assessment type, customer clarifications
CUI source inventory	Scope starts with data, not tools	Who sends CUI, what type, where it lands, how it’s marked, who uses it
CUI data-flow map	Exposes process, storage, transmission, backups, and provider touchpoints	A diagram from receipt → use → storage → sharing → archive/deletion
Asset-category inventory	Converts environment facts into official CMMC categories	Every asset tagged CUI / SPA / CRMA / Specialized / Out-of-Scope, with a reason
Network / boundary diagram	Shows where the assessment boundary starts and stops	In-scope and out-of-scope systems, segmentation, identity, admin paths, logging, backups, remote access
Provider responsibility matrix	Kills the “we outsourced it, so it’s out of scope” assumption	Who handles CUI, SPD, admin, logs, tickets, backups, evidence, and incident response
Scope assumptions log	Protects you in future disputes and re-scopes	“Why we classified this asset this way,” with source, date, owner, and re-review trigger

► Download the CUI Data Flow & Asset Inventory Worksheet

This is the structure assessors expect to see — and the one most contractors rebuild from scratch under pressure. Our CMMC readiness checklist gives your team the artifact structure to hand to IT, compliance, and leadership before remediation begins, so you scope once instead of three times. No CUI required — it’s a framework you fill in privately.

Get the readiness checklist →

Are your MSP, cloud, and GRC tools in scope? The ESP and CSP rules

Often, yes — but only when the provider processes, stores, or transmits CUI or Security Protection Data, or provides security functions for the CUI environment. Under 32 CFR § 170.4, an outside provider counts as an External Service Provider (ESP)for CMMC only if CUI or SPD is processed, stored, or transmitted on its assets. An ESP doesn’t automatically need its own CMMC certification for that support relationship; instead, a non-cloud ESP that handles your CUI or SPD is assessed as part of your scope. A Cloud Service Provider (CSP)that handles CUI is the special case: it must meet the FedRAMP Moderate (or higher) baseline under DFARS 252.204-7012. The responsibility for sorting this out has shifted onto you, the contractor — so map your providers early. We keep a full breakdown of the rules on the CMMC external service provider requirements page.

MSPs and MSSPs

If your managed service provider (MSP) or managed security service provider (MSSP) administers your endpoints, identity, firewall, EDR, backups, ticketing, or logging for the CUI environment, it is not automatically outside your scope. Here’s the part that surprises people: per the CMMC FAQ, even when no CUIis sent to a vendor, an MSSP that handles your Security Protection Data — your logs, configs, vulnerability data — still qualifies as an ESP and is assessed as part of your scope. The provider does not need its own CMMC certification; a non-cloud MSP that stores your CUI may elect to get certified to simplify your assessment, but if it does, its certification must be at the same level and type as your contract requires (or higher) and must cover the assets in your scope. Before you lean on any MSP or MSSP, get a written responsibility matrix. A related page covers the CMMC managed enclave model in detail.

Cloud Service Providers and FedRAMP

If CUI is stored, processed, or transmitted in a cloud service, the FedRAMP question is unavoidable. A CUI-handling CSP must hold a FedRAMP Moderate authorization (an Authority to Operate) ordemonstrate FedRAMP Moderate equivalency under DoD’s December 2023 equivalency memo — a standard the memo defines stringently. Per the FAQ, even encryptingyour CUI does not let you use a non-FedRAMP-Moderate cloud offering. Marketing language like “CMMC-ready” or “DoD-grade” is not evidence. Your assessor will look for the authorization or the equivalency body of evidence, plus a customer responsibility matrix. One more nuance: if your cloud tenant is licensed directly to you and your MSP merely resells or administers it, the MSP generally is not a CSP. But if your MSP contracts with the cloud provider and modifies the underlying service, the MSP may itself be a CSP and inherit the FedRAMP obligation.

GRC and evidence tools

A governance, risk, and compliance (GRC) platform can stay outside your CUI environment ifit only stores control-status metadata. It becomes relevant the moment users start uploading CUI, detailed network diagrams, raw logs, vulnerability reports, or credentials into it — that’s Security Protection Data. Our blunt editorial guidance: don’t put CUI or SPD into a GRC tool unless you’ve intentionally selected and documented it for that role. And remember the larger point — software alone never satisfies CMMC.A GRC tool organizes your evidence; it doesn’t implement your controls or shrink your scope.

Use this mini-matrix on every provider before you sign or renew:

Provider	Handles CUI?	Handles SPD?	Has admin access?	Holds your logs/configs?	Responsibility matrix on file?	Resulting scope treatment
Your MSP
Your CSP
Your GRC tool

► Match your scope to the right kind of provider

Once you can see which providers fall inside your boundary, the question shifts from “what’s in scope” to “who should help.” Our CMMC provider categories page covers the full landscape — readiness, managed services, enclave, evidence workflow, and assessment — with source-checked descriptions of each role.

Source-checked means we verify each provider’s category, public status where relevant, any compensation relationship, and a last-verified date — it does not mean Cyber AB, DoD, or government endorsement.

Compare provider categories →

Can a CUI enclave or VDI shrink your scope?

Yes — done correctly, a CUI enclave is the single most effective scope-reduction strategy in the Defense Industrial Base, because it confines CUI to a defined, separated environment so that only the enclave and its supporting security assets meet the full control set instead of your whole network. The catch is the word correctly— and this is where we have to be straight with you.

Scoping does not make CMMC requirements disappear. It only decides where they apply. If your “small enclave” still leans on enterprise identity, shared admin workstations, company-wide backups, ticketing, or unmanaged downloads, those touchpoints quietly pull assets back into scope. And no scoping guide — including this one — can categorize yourassets for you, because the categories depend on facts only visible inside your contracts and your network. A web page can hand you the model; it can’t see your data flow.

That’s not a reason to despair. It’s the reason the two things that actually de-risk scoping are a documented data-flow map and a second set of expert eyes on the boundary — not a tool purchase. The contractors who get this right shrink their scope and keep it defensible. For a full comparison of architecture approaches and cost drivers, see our CMMC scope reduction guide.

What actually counts as separation

Separation is physical or logical, and the bar is higher than most teams assume. Per the CMMC FAQ, logical separation happens when data transfer between physically connected assets is prevented by non-physical means — firewalls, routers, VPNs, VLANs — and encryption alone does not create logical separation. File and folder permissions and access control lists, by themselves, aren’t enough either.

But here’s a nuance the FAQ added that can save you real money, and that most pages miss: if your enclave is otherwise logically separated, sending properly encrypted CUI across your broader enterprise network does notautomatically pull those enterprise networking components into your assessment scope. Encryption doesn’t createthe boundary, but with a real boundary in place, encrypted transit across outside networking doesn’t break it. For architecture comparisons, see our dedicated pages on CMMC secure enclave, CMMC managed enclave, and GCC High for CMMC.

The VDI nuance

There’s a legitimate design pattern in the rule and FAQ: if a user reaches CUI only through a Virtual Desktop Infrastructure (VDI) client — where only keyboard, video, and mouse signals move, and CUI is never processed, stored, or transmitted on the local device — that endpoint can be treated as out of scope. To rely on it, the FAQ is specific: the VDI server must block copy-paste, file transfers, printing, and screenshots to the endpoint; the session must transmit only video, keyboard, and mouse data; multifactor authentication to the VDI server must be separate from the unmanaged client; and the configuration must be verified. Treat it as a pattern you document carefully, not a universal loophole. The moment someone can pull CUI down to the local machine, the endpoint is back in scope.

What breaks an enclave boundary

Keep this list where your team can see it. Each of these can drag systems into your scope:

Downloading CUI to local endpoints
Printing outside a controlled workflow
Screenshots and sync clients
Email forwarding
Unmanaged USB
Shared identity
Enterprise-wide backups
Unmanaged admin access
MSP remote tools
Ticket attachments
SIEM/log exports
Vulnerability scans and reports
Subcontractor file exchange

► Get matched with source-checked readiness and enclave options

If you’ve realized your boundary needs design help — or a true CUI enclave — this is the moment to bring in the right category of partner, not a third-party assessor. Tell us your level, scope, and timeline, and we’ll match you with source-checked provider options whose role and status we’ve verified. No CUI required.

Get matched →

What does CMMC scoping actually cost?

Scope size is the biggest single driver of CMMC cost — and the scary headline number is only part of the bill. A gap or scoping assessment typically runs $3,500–$20,000. SSP and documentation work runs $5,000–$15,000 if you do it yourself, $15,000–$40,000with a consultant. Remediation — the actual fixing — commonly lands between $20,000 and $150,000+, depending on how far your environment is from the controls. A CUI enclave runs roughly $300–$400 per user per month, scaling up to $3,000–$4,000 per monthfor the environment. And the Level 2 third-party assessment itself runs $30,000–$150,000 by company size.

Line item	Small (<50 employees)	Mid (50–200)	Large (200+)
Gap analysis / scoping assessment	$3.5k–$8k	$8k–$12k	$12k–$20k
SSP + documentation	$5k–$15k (DIY)	$15k–$40k (consultant)	$40k–$60k
Remediation / control implementation	$20k–$50k	$50k–$115k	$115k–$150k+
CUI enclave (if used)	$300–$400 / user / mo	—	up to $3k–$4k / mo
C3PAO Level 2 assessment	$30k–$50k	$50k–$80k	$80k–$150k

How we built this: these are planning ranges compiled in 2026 from public provider pricing pages and published cost analyses, expressed as market ranges rather than quotes. They exclude your internal staff time, and any individual quote will vary by scope, user count, current security maturity, number of sites, provider, and assessment type. Treat them as a budgeting starting point, not a bid.

The number DoD doesn’t include — and why it matters for scoping

You’ll see DoD’s official Level 2 figure of roughly $104,670 quoted everywhere. Read the fine print: that estimate covers only assessment and affirmation over the three-year cycle, and it assumes you’ve already implemented NIST SP 800-171. The CMMC FAQ states this directly — costs to meet the existing safeguarding requirements (the DFARS 252.204-7012 obligations you’ve owed for years) are not counted as CMMC compliance costs. In plain terms: the official number is what it costs to prove compliance, not to achieveit. For a contractor starting from a weak posture, the remediation line above is the real project — and it’s driven almost entirely by how many systems you put in the CUI category. That’s why an hour of honest scoping can be worth tens of thousands of dollars.

The capacity squeeze is real

Phase 1 of the rollout runs November 10, 2025 through November 9, 2026, and focuses primarily on self-assessments. Phase 2 begins November 10, 2026 — the point at which Level 2 third-party certification starts attaching broadly to new and renewing contracts. Industry reporting through early 2026 has consistently described a shortage of authorized C3PAOs and certified assessors relative to the size of the Defense Industrial Base, with assessment queues measured in months. For the current number of authorized C3PAOs and assessors, check the Cyber AB Marketplace directly. The takeaway holds regardless of the exact count: a year-long readiness timeline plus a multi-month assessment queue means the runway is shorter than the calendar suggests, and scoping is the free first step you can take today.

What a C3PAO checks — and why you probably shouldn’t call one yet

A C3PAO does not discover your scope for you. Under the Cyber AB’s CMMC Assessment Process, a Level 2 certification assessment begins with pre-assessment proceedings where the C3PAO and your organization confirm the exact legal entity and the assessment scope beforethe assessment proceeds — including how your ESPs and CSPs participate and resolving any disagreement about the boundary. If you walk in with a vague scope, you get delays, change orders, or a failed assessment — not a helpful scoping session. The right sequence is: define and validate scope, get ready, then engage the assessor. Our C3PAO directory covers how to find and verify authorized assessors on the Cyber AB Marketplace.

Readiness help and assessment help are different jobs

Readiness consultants, MSPs, MSSPs, enclave architects, and GRC providers help you prepare. C3PAOs assess. These are separate roles, and blurring them is a mistake we won’t let you make. An Organization Seeking Certification (OSC) — the term the rule uses for a company pursuing a Level 2 C3PAO assessment — should arrive with a documented, defensible scope and the seven artifacts above. For guidance on sequencing the right provider type, see our who to hire first guide.

The conflict-of-interest rule

There’s a hard line here, set by the Cyber AB’s Code of Professional Conduct: the firm that consulted with you to prepare for your assessment generally cannot also be the firm that performs that certification assessment. That independence requirement is exactly why you keep readiness and assessment in separate lanes — and why, at the scoping stage, the right next step is readiness or implementation help, not an assessor. Plan to choose your remediation partner and your assessor as two different decisions.

► Not assessment-ready yet? Get matched by category, not by guesswork

Most contractors searching for scoping help need readiness, managed services, or enclave design — not a C3PAO. Tell us your level, scope, and timeline, and we’ll help you identify whether your next move is readiness, MSP/MSSP remediation, an enclave, an evidence workflow, or — when you’re truly ready — formal assessment. No CUI required.

Find your CMMC path →

How DFARS clauses 7012, 7019, 7020, 7021, and 7025 connect to your scope

Scoping doesn’t live in isolation — it feeds a stack of contract clauses that decide your eligibility to win work. Your scope determines what each of these applies to.

DFARS clause	What it does	Why it matters for scope / SPRS
252.204-7012	Safeguarding Covered Defense Information and Cyber Incident Reporting	The baseline obligation: implement NIST SP 800-171 on systems handling CUI, meet FedRAMP Moderate for CUI-handling clouds, report incidents within 72 hours
252.204-7019	Notice of NIST SP 800-171 DoD Assessment Requirements	To be eligible for award, you must have a current (not more than 3 years old) NIST SP 800-171 DoD Assessment score posted in SPRS for the relevant systems
252.204-7020	NIST SP 800-171 DoD Assessment Requirements	Requires you to keep that SPRS score current, give the government access for Medium/High assessments, and flow the requirement down to subcontractors
252.204-7021	Cybersecurity Maturity Model Certification Requirements	Requires a current CMMC certificate/status at the level the contract specifies, annual affirmation of continued compliance, and flow-down to applicable subcontracts
252.204-7025	Notice of CMMC Level Requirements	The solicitation provision that tells you which CMMC level a given opportunity requires before award

The practical link to scope: your assessment boundary defines which systems carry the 800-171 score that 7019/7020 put in SPRS, and the same boundary defines what your 7021 CMMC status covers. Draw the boundary loosely and you inflate every clause’s footprint; draw it precisely and you keep the obligation proportional to the CUI you actually handle.

The most expensive CMMC scoping mistakes

The costliest CMMC mistakes are rarely control mistakes — they’re boundary mistakes. Contractors overspend when they sweep everything into scope, and they create assessment risk when they exclude identity, admin tools, logs, backups, endpoints, MSP access, or cloud services that genuinely support the CUI environment.

Mistake	Why it hurts	Better move
Starting with a tool purchase	You buy for the wrong boundary and pay twice	Map CUI flow first, then buy
Assuming GCC High, a secure-email tool, or a GRC platform “solves” scope	Scope includes workflow, users, identity, admins, logs, backups, and providers	Build a provider responsibility matrix
Treating MSP/MSSP access as out of scope	Admin tooling and Security Protection Data pull the provider in — even with no CUI sent	Classify the provider’s role; document responsibilities
Calling Specialized Assets “out of scope”	OT, GFE, and test equipment are in scope with special treatment	Document them as Specialized Assets
Treating “no CUI intended” as enough for a CRMA	CRMAs need documented policies, procedures, and practices, or they draw a limited check	Add a written risk rationale and monitoring
Scheduling a C3PAO before scope is stable	Pre-assessment exposes the gaps and burns your slot	Validate scope first, then book the assessment
Scoping and remediating to NIST 800-171 Rev. 3	CMMC Level 2 maps to Rev. 2 until DoD changes the rule	Build to Rev. 2; track the FAQ and class deviation
Under-scoping to lower the bill	It’s exactly what assessors and DIBCAC catch — and it fails you after you’ve spent	Scope honestly; reduce scope legitimately with a real enclave

One scoring rule worth building into your plan: under the CMMC scoring methodology, a Level 2 self-assessment that doesn’t reach a score of at least 80% (88 of the 110 requirements implemented) returns “No CMMC Status” in SPRS, and six specific requirements identified in 32 CFR § 170.21cannot be deferred on a POA&M for the purpose of achieving certification. Scope and remediate accordingly — a boundary that’s too big can quietly drop you below that 88-point line.

When does your CMMC scope need to change?

Scope is not a one-time diagram — it’s an operating assumption that has to stay aligned with the environment you’re affirming. Recheck it whenever your CUI flow, systems, providers, users, facilities, cloud services, backups, or subcontractor relationships change. The CMMC FAQ is explicit that the program’s three-year assessment cycle and annual affirmationsare designed to accommodate change — and that the decision of whether a change is significant enough to require a new assessment rests with your Affirming Official, the senior official who bears the legal and contractual risk of attesting to continued compliance.

There’s no single bright-line definition of “significant change,” but the FAQ gives three useful guideposts:

Reassessment required:a requirement that was Not Applicable becomes applicable. The FAQ’s example: you add Wi-Fi to an environment that earned its status without it, so the wireless-access requirements (AC.L2-3.1.16 and 3.1.17) now apply and have never been assessed.
Not a significant change:routine maintenance and like-for-like upgrades that hold or improve your security posture — for instance, swapping an older FIPS 140-2 firewall for a FIPS 140-3 model.
Requires careful evaluation:major functionality changes, a new security design not reflected in your SSP, or anything that reduces support for a requirement. Merging a previously unassessed environment into your assessed one is the classic example — the unassessed systems trigger a reassessment.

The discipline that keeps you out of trouble: run a security impact analysis before the change (CM.L2-3.4.4), check the effect on CUI flow (AC.L2-3.1.3), review it with your Affirming Official, document it, and update the SSP afterward. Treat a scope change as a governance event, not a routine IT ticket — and remember that for Levels 2 and 3, a Conditional CMMC status lasts no more than 180 days, the window in which you close out your POA&M before the conditional status expires.

What to do once your scope is defined

Your next step depends on maturity, not on a one-size-fits-all checklist. If your scope is still unstable, validate it before you spend on remediation. If your scope is stable but your controls are weak, begin readiness work. If both your scope and your evidence are mature, prepare for the Level 2 self-assessment or C3PAO assessment your contract requires.

If your scope is unstable: run a scoping workshop, finish your CUI-flow interviews, complete the provider responsibility matrix, and lock the boundary.
If your scope is stable but controls are weak: engage a readiness provider or MSP/MSSP, build out the SSP and POA&M, and stand up your evidence workflow. See our CMMC readiness checklist and Level 2 requirements overview.
If scope and evidence are mature:do a readiness review, then — keeping independence in mind — engage a C3PAO for the certification assessment.

► Your next CMMC move, matched to your situation

Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. No CUI required.

“Verified” means we check provider-category fit and, where applicable, current Cyber AB Marketplace status. We do not certify any provider’s work or guarantee assessment outcomes. Where DCR may receive compensation from a partner, that compensation does not influence our editorial analysis. See our editorial review process.

Get matched with source-checked provider options →Download the readiness checklist →

How we built this CMMC scoping guide

We built this guide from primary regulatory and program sources, not vendor marketing. We read the scoping rule itself, cross-checked it against the DoD scoping guide, confirmed the current Level 2 baseline and the Rev. 2-versus-Rev. 3 question in the official FAQ, pulled the encryption, VDI, ESP/CSP, and significant-change answers from that FAQ verbatim, and verified the DFARS clause ladder and the conditional-status rule before assembling the matrices and cost dataset on this page.

What we verified

Scoping requirement and the five asset categories: 32 CFR § 170.19 (eCFR), confirming the assessment scope must be specified before assessment and defining CUI Assets, SPAs, CRMAs, Specialized Assets, and Out-of-Scope Assets.
Category definitions and assessment treatment:DoD CMMC Level 2 Scoping Guide, Version 2.13 (September 2024).
ESP/CSP treatment, encryption, VDI, classified systems, hard-copy CUI, and significant change: DoD CIO CMMC Program FAQ, Revision 2.3 (May 2026), Sections C, E, and the new Section F (Scoping).
CSP FedRAMP Moderate requirement:DFARS 252.204-7012 and DoD’s December 2023 FedRAMP equivalency memo.
DFARS clause ladder (7012, 7019, 7020, 7021, 7025): Acquisition.gov / eCFR clause text.
Program rule and effective date: 32 CFR Part 170, effective December 16, 2024 (Federal Register).
Contract clause and rollout: DFARS 252.204-7021, effective November 10, 2025; phased schedule under 32 CFR § 170.3(e), with Phase 1 running November 10, 2025–November 9, 2026and Phase 2 beginning November 10, 2026.
Current Level 2 baseline:NIST SP 800-171 Revision 2, held in place by a class deviation per the CMMC FAQ and DoD’s April 2025 Organization-Defined Parameters memo.
Conditional status, the 180-day window, the 88-of-110 score floor, and the six non-POA&M-eligible requirements: CMMC FAQ (Section C) and 32 CFR §§ 170.21 and 170.24.
Cost figures:2026 market ranges compiled from public provider pricing and published cost analyses; DoD’s roughly $104,670 Level 2 estimate confirmed (via the FAQ) to cover assessment and affirmation only, excluding implementation.
Assessment-process and independence rules:Cyber AB CMMC Assessment Process (pre-assessment scope confirmation) and Cyber AB Code of Professional Conduct (consultant–assessor independence).

What we did not verify on this page

We did not verify any named provider’s Cyber AB Marketplace status here.
We did not verify any compensation relationship with a named provider on this page.
We did not provide legal or contractual advice.
We did not evaluate your specific CUI, contracts, network, or evidence — only you (and your chosen advisor) can categorize your actual assets.

A note on naming: the DoD CIO’s CMMC materials now appear under “Department of War (DoW)” branding following a September 2025 executive order. The controlling regulations and DFARS clauses still use “Department of Defense,” which is the term we use here. Sources we read include eCFR (32 CFR Part 170; 48 CFR DFARS clauses), the DoD/DoW CIO CMMC scoping guides and FAQ, Acquisition.gov, and the Federal Register. Re-verify before relying on any time-sensitive figure.

CMMC scoping guide FAQ

What is a CMMC scoping guide?

A CMMC scoping guide explains how to define which systems, people, facilities, providers, and assets fall inside your CMMC assessment boundary before an assessment happens. It’s the step that comes before writing an SSP, choosing tools, or engaging an assessor, and it’s governed by 32 CFR § 170.19.

What is included in CMMC Level 2 scope?

CMMC Level 2 scope includes CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, and Specialized Assets. Out-of-Scope Assets must not process, store, or transmit CUI, must provide no security protections for CUI Assets, and must be physically or logically separated from them. These categories are defined in 32 CFR § 170.19(c).

What is a CUI Asset?

A CUI Asset processes, stores, or transmits Controlled Unclassified Information. It is documented in your asset inventory, System Security Plan, and network diagram, and it is assessed against all 110 NIST SP 800-171 Revision 2 requirements.

What is a Security Protection Asset?

A Security Protection Asset provides security functions or capabilities to the CUI environment — such as a firewall, identity provider, EDR, or SIEM — even if it never stores CUI itself. It is in scope and assessed against the requirements relevant to the protection it provides.

What is Security Protection Data?

Security Protection Data is the security-relevant data handled by Security Protection Assets, including log data, configuration data, vulnerability findings, and passwords. When an external provider handles your Security Protection Data, that provider is typically pulled into your assessment scope.

Are MSPs and MSSPs in scope for CMMC?

They are in scope when they handle CUI, administer the CUI environment, or process Security Protection Data such as logs and configurations — and per the CMMC FAQ, an MSSP that handles your Security Protection Data is assessed within your scope even if no CUI is sent to it. The provider does not need its own CMMC certification, but document its responsibilities before relying on it.

Are cloud providers in CMMC scope?

If a cloud service processes, stores, or transmits CUI, it must meet the FedRAMP Moderate (or higher) baseline under DFARS 252.204-7012 — through a FedRAMP authorization or documented equivalency — and encrypting the CUI does not remove that requirement. Keep the authorization or equivalency evidence and a customer responsibility matrix.

Does a CUI enclave reduce CMMC scope?

A properly separated CUI enclave can reduce the number of systems in scope by confining CUI to a defined boundary. It does not reduce the Level 2 requirements that apply inside the enclave, and separation must be enforced by real controls — encryption or a VLAN alone is not enough.

Can encryption alone keep my enterprise network out of scope?

No — encryption by itself does not create the logical separation that defines a boundary. However, per the CMMC FAQ, if your enclave is otherwise logically separated, sending properly encrypted CUI across enterprise networking outside the enclave does not, by itself, pull that networking into your assessment scope.

Are CMMC assessments required if we only handle hard-copy CUI?

No. Per the CMMC FAQ, organizations that only handle hard-copy (paper) CUI are not required to complete a third-party assessment, though they must still safeguard that CUI. But the moment that CUI is placed on an information system — scanned, photographed, entered, uploaded, printed, or emailed — that system is expected to meet the applicable CMMC assessment requirements before the CUI is placed on it.

Are classified systems in CMMC scope?

No. Per the CMMC FAQ, CMMC applies only to defense contractors’ nonfederal unclassified information systems that process, store, or transmit FCI or CUI. Classified systems and environments are outside the CMMC assessment scope.

Does CMMC Level 2 use NIST SP 800-171 Rev. 2 or Rev. 3?

CMMC Level 2 is assessed against NIST SP 800-171 Revision 2. Per the CMMC FAQ (Revision 2.3, May 2026), a class deviation keeps Revision 2 as the assessment baseline until Revision 3 is incorporated through rulemaking, even though contractors may voluntarily implement Revision 3 using DoD’s defined parameters.

What counts as a significant change to my CMMC scope?

There is no single bright-line definition, and the CMMC FAQ places the determination with your Affirming Official. As a guide: a requirement that was Not Applicable becoming applicable (for example, adding Wi-Fi) typically requires reassessment; routine, like-for-like upgrades do not; and major redesigns or merging unassessed environments require careful evaluation.

How often should CMMC scope be updated?

Update your scope whenever your CUI flow, systems, providers, identity, backups, contracts, facilities, or assessment type changes. Because the program requires annual affirmations of compliance, your documented scope must stay aligned with the environment you actually operate.

Related guides

Primary sources

32 CFR Part 170 — CMMC Program (eCFR): ecfr.gov/current/title-32/…/part-170
32 CFR § 170.19 — CMMC assessment scope; Table 3 (89 FR 83214, Oct. 15, 2024)
32 CFR § 170.21 — POA&M requirements
32 CFR § 170.22 — Affirmation; 32 CFR § 170.24 — Scoring Methodology
DoD CMMC Level 2 Scoping Guide (DoD CIO, v2.13, September 2024): dodcio.defense.gov/…/ScopingGuideL2.pdf
DoD CIO CMMC Program FAQ (Revision 2.3, May 2026): dodcio.defense.gov/cmmc/
NIST SP 800-171 Rev. 2 and NIST SP 800-171A (csrc.nist.gov)
DFARS 252.204-7012, 7019, 7020, 7021, 7025 (acquisition.gov)
Cyber AB CMMC Assessment Process and Code of Professional Conduct v2.0 (cyberab.org)
DoD FedRAMP Equivalency Memo, December 2023; DoD Organization-Defined Parameters Memo, April 2025

Provider-matching forms on this site may generate referral or lead-routing compensation. This page does not currently contain named provider rankings, endorsements, or "best provider" awards. If named provider reviews are published later, sponsored, affiliate, partner, or referral relationships will be labeled on the relevant provider card or review. See our Methodology and Editorial & Advertising Policy for details.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We are not affiliated with, endorsed by, or sponsored by the U.S. Department of Defense / Department of War, the Cyber AB, CAICO, DCMA DIBCAC, NIST, SPRS, FedRAMP, or any U.S. Government agency. This article is editorial research and does not constitute legal, procurement, cybersecurity, or compliance advice. Verify all regulatory citations against the primary sources listed above before relying on them in a contract context. Last verified: June 16, 2026. Editorial corrections policy: corrections.