A photograph-style image of a clean engineering workstation with two distinct zones visible on the desk — on the left, a monitor showing a network topology diagram with clearly defined boundary segments highlighted, and on the right, a printed document open to a page showing a structured asset table. Soft overhead office lighting, no people, no visible text on the screens.

What's Actually in Scope for Your CMMC Assessment — and Why Most Contractors Get It Wrong

May 25, 20268 min read

When defense contractors begin preparing for a CMMC Level 2 assessment, the most common scoping decision is not a decision at all. It is an assumption: everything connected to the network is in scope, and the remediation work begins from there.

That assumption is the single most expensive mistake in the CMMC ecosystem right now — not because it causes contractors to miss controls, but because it causes them to implement controls for systems that should never have been in the assessment in the first place.

Understanding what is actually in scope for a CMMC Level 2 assessment and what the rule says about how that scope is defined is the highest-leverage conversation a contractor can have before spending a dollar on remediation.


Scope Is a Design Decision, Not a Default State

Under 32 CFR 170.19, assessment scope is defined as the set of assets in the contractor's environment that will be assessed against CMMC security requirements. The operative word is "will." The regulation does not say "everything on the network." It does not say "every system your employees touch." It says the set of assets that will be assessed — and that set is defined by the contractor, not inherited by default.

The assessor's job is to evaluate whether the scope definition is reasonable, whether the boundary is accurately documented in the System Security Plan, and whether the controls enforcing that boundary technically match what the SSP describes. The assessor does not define the scope. The contractor defines it, defends it, and documents it.

Contractors who understand this go into assessment with a deliberate position. Contractors who do not go in with a boundary that is almost always too broad, generating remediation costs for systems that the rule never required them to harden.


What the Rule Actually Requires You to Protect

The starting point for any scoping conversation is the data itself. CMMC Level 2 is built around the protection of Controlled Unclassified Information — CUI. If a system processes, stores, or transmits CUI, it belongs inside the assessment boundary. If it does not, there is a legitimate argument for keeping it out.

CUI is not a loose category. It is formally defined under Executive Order 13556 and the CUI Registry maintained by the National Archives. In the defense contracting world, it typically appears as controlled technical information attached to weapons systems or defense programs, export-controlled data governed by ITAR or EAR, and technical drawings or engineering specifications that arrive from a prime or program office with a CUI category banner.

The presence of CUI in the environment is identified through contract review — specifically, whether the contract references DFARS 252.204-7012, which is the clause that triggers the CUI handling requirements under NIST SP 800-171. If DFARS 252.204-7012 is in the contract, CUI is in scope for that work. If only FAR 52.204-21 is present, the contractor is handling Federal Contract Information, which carries a much lighter requirement set under CMMC Level 1.

That contract clause review is the first step in every scoping conversation. It determines not just what level of CMMC applies, but which data flows, which systems, and which people are relevant to the assessment at all.


Asset Categories Under the Rule

One of the most consequential details in the CMMC scoping regulation is that not every asset within the assessment boundary is treated the same way. The rule establishes five asset categories, each with different assessment treatment.

CUI Assets are systems that directly process, store, or transmit CUI. These are the core of the assessment. They are evaluated against the full set of 110 NIST SP 800-171 controls, and every control that applies to the CUI environment applies to these systems in full.

Security Protection Assets are systems that provide security functions for the CUI environment — firewalls, identity providers, endpoint protection platforms, SIEMs, multi-factor authentication systems, and similar infrastructure. They are assessed only against the controls relevant to the security capabilities they provide, not the full 110. A firewall is not assessed against media protection requirements. An identity provider is not assessed against physical protection requirements. The assessment is scoped to what the asset actually does.

Contractor Risk Managed Assets are assets that could connect to the CUI environment but are managed under the contractor's documented risk-based policy. These carry documentation requirements but lighter assessment treatment than CUI Assets.

Specialized Assets include operational technology, IoT devices, government-furnished equipment, and test equipment. These are documented in the SSP and assessed in a manner appropriate to their function and constraints, not against the full control set.

Out-of-Scope Assets are systems that are physically or logically separated from the CUI environment and have no connection to it. These carry no CMMC documentation requirements at all.

What this means in practice is significant. Even inside a formally defined in-scope environment, the controls do not apply uniformly to every system. Getting asset categorization right at the start is not a documentation exercise — it is a cost control decision.


The Enclave Strategy

The scoping regulation explicitly recognizes a design approach that many contractors have not been told is available: the enclave.

An enclave is a logically or physically segmented portion of the contractor's environment, specifically designed to contain the CUI and the systems that support it. It sits inside the broader business network but is treated as its own assessment scope. Everything outside the enclave boundary — payroll systems, marketing infrastructure, accounting platforms, HR tools — remains out of scope, provided the boundary is technically enforced.

The DoD has affirmed this approach. Published implementation examples show cost reductions in the range of 20 to 45 percent when contractors design and document a proper enclave rather than accepting a default whole-company scope.

The requirement is that the boundary be real. An enclave that exists only as a diagram in the SSP, without corresponding network segmentation, access control enforcement, and data flow controls, will not hold under assessment scrutiny. The enclave has to be built, not just described. But for contractors whose CUI environment is concentrated in a defined portion of the business — a specific team, a specific facility, a specific set of systems — the enclave approach is not a workaround. It is the right application of the scoping rule.


What Assessors Look for When Reviewing Scope

When a C3PAO assessor begins an engagement, the first artifact they review is the System Security Plan. The SSP contains the contractor's scope definition, the boundary diagram, the asset inventory, and the asset category designations. Before a single control is evaluated, the assessor determines whether the scope documented in the SSP is accurate, reasonable, and technically supported.

The patterns that draw scrutiny at this stage are consistent. An SSP that lists assets without category designations forces the assessor to reconstruct the boundary logic before they can begin. A boundary diagram that does not match the network architecture documentation produces immediate questions about whether the enclave is technically enforced. An asset inventory that does not account for cloud storage, remote access infrastructure, or mobile devices that touch CUI creates gaps that the assessor will identify during the walk-through, regardless of whether they are in the SSP.

Assessors are not looking for a perfect environment. They are looking for a documented environment that the controls were built to protect. The SSP is the contractor's argument for why the scope is correct. A strong SSP scope section makes that argument clearly, with asset categories designated, boundary controls documented, and the rationale for out-of-scope decisions recorded. A weak one leaves the assessor to make assumptions — and the assumptions an assessor makes under time pressure are rarely favorable.


The Cost of Getting This Wrong

The financial impact of a poorly defined scope is not abstract. It appears in the remediation budget, in the assessment timeline, and in the rework cost when a boundary that was never formally established has to be rebuilt around a different set of systems than the ones the controls were originally written for.

A whole-company default scope for a 150-person defense contractor can mean hardening 200 or more endpoints, dozens of servers, and infrastructure that has no relationship to CUI at all. A properly defined enclave for the same company, built around the 20 systems that actually process or transmit CUI, produces an assessment environment that is smaller, faster to remediate, and materially less expensive to maintain over the three-year certification cycle.

The scoping decision made at the beginning of a CMMC program does not just affect the first assessment. It sets the boundary that every subsequent annual affirmation, every internal audit, and every renewal assessment will be evaluated against. Getting it right the first time is not just a cost savings on the initial project. It is the foundation the entire program is built on.


About Xact Cybersecurity

Xact Cybersecurity is a division of Xact IT Solutions, a cybersecurity compliance firm based in Marlton, NJ, specializing in CMMC Level 2 preparation and assessment readiness for defense contractors and members of the Defense Industrial Base. Xact IT Solutions holds the GTIA Cybersecurity Trustmark Assured credential, meaning its internal operations have been independently validated against the same standards they help clients achieve.

For defense contractors with questions about assessment scope, CUI boundary definition, or CMMC Level 2 readiness, the Xact Cybersecurity team offers a free 30-minute strategy call. Schedule at getready4cmmc.com/free-cmmc-strategy-call or contact the team directly at [email protected] | 856-282-4100 | 1 Executive Drive Suite 100, Marlton, NJ 08053.

Back to Blog