Learn about CMMC Assessment scoping, the scoping boundary, CUI enclaves, CUI assets, SPA, CRMA, out-of-scope assets, and more through the Frequently Asked Questions (FAQs) below. If you are looking for certified CMMC Professionals and a customised solution for your organization, please schedule a free consultation.
Table of Contents
What is CMMC assessment scoping and why does it matter?
Summary: CMMC assessment scoping is the process of defining the precise boundary of an organization’s information systems that will be evaluated during a CMMC assessment, identifying every asset, person, technology, and service that processes, stores, or transmits FCI or CUI in scope for the required CMMC level.
Scoping matters because it directly determines the cost, complexity, and duration of achieving and maintaining CMMC compliance. An organization that brings its entire enterprise IT environment into scope faces dramatically higher compliance costs and assessment complexity than one that isolates CUI into a defined enclave. The DoD provides official CMMC Scoping Guides for each level (available at dodcio.defense.gov) that define the five asset categories and the requirements applicable to each.
Scoping is also a high-risk area for compliance failures, organizations that define their scope too narrowly may achieve certification but fail to protect CUI that sits outside the stated boundary, creating exposure under the False Claims Act. Scope definition is the critical first step in every CMMC compliance engagement.
What is a CUI Asset under CMMC scoping and what security requirements apply to it?
A CUI Asset is any component of an organization’s information system that processes, stores, or transmits Controlled Unclassified Information in the performance of a DoD contract, and as defined in the CMMC Scoping Guide, Level 2, it is the asset category against which all 110 NIST SP 800-171 Rev 2 controls and all 320 assessment objectives must be applied.
CUI Assets are the core of every CMMC assessment. They include any server, workstation, laptop, mobile device, network device, cloud service, application, or storage system that directly handles CUI. All 320 assessment objectives apply to CUI Assets without exception, there is no partial application of controls to this category.
Contractors must maintain a current, accurate inventory of all CUI Assets, document how each asset handles CUI in their System Security Plan (SSP), and ensure that every control in all 14 domains is fully implemented for each CUI Asset. Reducing the number of CUI Assets through enclave isolation or data flow restriction is the most effective strategy for controlling CMMC compliance cost and scope.
What is a Security Protection Asset (SPA) under CMMC scoping?
A Security Protection Asset is any asset that provides security functions or capabilities that protect an organization’s CUI environment, such as firewalls, identity providers, SIEM systems, endpoint detection tools, and MFA services, regardless of whether the SPA itself directly handles CUI, and it is subject to CMMC security requirements because its compromise could undermine CUI protection.
SPAs are a distinct asset category in the CMMC Scoping Guide, Level 2. Because SPAs control, monitor, or enforce the security of CUI Assets, their integrity is critical to the overall compliance posture. Examples of SPAs include: perimeter firewalls and intrusion detection/prevention systems; VPN gateways; identity and access management platforms; MFA services; SIEM and log aggregation platforms; antivirus/EDR management consoles; and patch management servers.
SPAs managed by External Service Providers (ESPs) such as MSPs or MSSPs must be addressed in the assessment, the ESP’s management of those SPAs falls within scope. Security Protection Data (SPD) associated with SPAs, such as log data, configuration data, and vulnerability scan data, is also subject to CMMC requirements.
What is a Contractor Risk Managed Asset (CRMA) and how is it treated in an assessment?
A Contractor Risk Managed Asset is an asset that can, but has not been configured to, process, store, or transmit CUI, typically systems on the same network as CUI Assets but separated from them through security controls, and which the contractor manages through risk management practices rather than full NIST SP 800-171 control application.
CRMAs occupy a middle category in the CMMC scoping framework: they are not fully out of scope, but they do not carry the full assessment burden of CUI Assets. A CRMA might be a legacy printer on the corporate network that does not handle CUI but could theoretically be accessed from a CUI Asset, or a general-purpose workstation restricted from accessing CUI through technical access controls.
The contractor must demonstrate through their SSP and network architecture documentation that CRMAs are adequately segregated from CUI Assets. Assessors will evaluate whether risk management measures are sufficient, an asset that can be reached from a CUI Asset without adequate controls cannot credibly be classified as a CRMA.
What are Specialized Assets and Out-of-Scope Assets under CMMC?
Summary: The CMMC Scoping Guide defines two additional asset categories: Specialized Assets, which require specific handling due to their nature, and Out-of-Scope Assets, which have no nexus to CUI and are excluded from the assessment boundary.
Specialized Assets include government-furnished equipment (GFE), operational technology (OT) and industrial control systems (ICS), Internet of Things (IoT) devices, and test equipment that may interact with CUI environments but cannot practically implement all NIST SP 800-171 controls due to design or operating constraints. For these assets, the contractor must document the limitations, implement compensating controls to the extent feasible, and accept the residual risk through their risk management process.
Out-of-Scope Assets are systems, devices, and users that have absolutely no connection, physical or logical, to any CUI-handling system. These assets are excluded from the assessment entirely. An asset can only be classified as Out-of-Scope if the contractor can demonstrate through network architecture, access controls, and documentation that it is definitively isolated from all CUI data flows.
What is a CUI enclave and how does it reduce the scope and cost of CMMC compliance?
Summary: A CUI enclave is a dedicated, technically isolated segment of an organization’s information environment within which all CUI handling is confined, so that CMMC security controls need only be implemented within that boundary rather than across the entire organization.
The enclave strategy is the most widely used and effective method for managing CMMC Level 2 compliance cost. Instead of upgrading an entire enterprise IT environment to meet 110 NIST SP 800-171 controls across every system and user, a contractor builds a separate, hardened environment, typically using a government cloud platform such as Microsoft 365 GCC High, Azure Government, or AWS GovCloud, where only the employees and systems that handle CUI operate.
The rest of the organization’s systems, which handle general business functions and have no access to CUI, remain outside the assessment boundary. This can reduce the number of in-scope assets from hundreds to tens, proportionally reducing assessment complexity, remediation effort, and ongoing maintenance cost. A poorly implemented enclave with undocumented connections to non-compliant systems does not provide scope reduction.
How do I define and document the CMMC assessment boundary?
Summary: Defining the CMMC assessment boundary requires a systematic process of tracing every path through which CUI enters, moves within, and exits an organization’s environment, and documenting that boundary in a network architecture diagram and System Security Plan (SSP) that accurately represents how CUI is handled.
The process begins with identifying all DoD contracts involving CUI and all data received under those contracts. Map every system, application, cloud service, and person that touches that data. Determine which asset category applies to each component, CUI Asset, Security Protection Asset, CRMA, Specialized Asset, or Out-of-Scope, using the DoD’s CMMC Scoping Guide.
Network architecture diagrams must show physical and logical boundaries, including firewalls, segmentation points, VPN connections, and access controls. All boundary documentation must be included in the SSP and kept current, boundary changes require SSP updates. C3PAOs will review scope documentation in the pre-assessment phase; an inaccurate boundary definition can result in scope disputes that delay the assessment or expand it unexpectedly.
How do I physically or logically isolate CUI to reduce my compliance footprint?
Summary: Physical and logical isolation of CUI limits the number of assets, users, and services that fall within the CMMC assessment boundary, directly reducing the compliance effort, cost, and risk associated with CMMC Level 2.
Physical isolation means placing CUI-handling systems on dedicated hardware, in dedicated network segments, or in a physically separate location with controlled access. This might include a dedicated CUI workroom, separate servers, or dedicated network switches and cabling. Physical isolation is the most complete form of separation but also the most costly and operationally restrictive.
Logical isolation achieves the same boundary through network segmentation and access controls rather than physical separation. This commonly involves creating a separate VLAN or subnet for CUI systems, enforced by firewall rules that prevent communication between the CUI environment and other network segments. Cloud-based logical isolation uses separate tenants, subscriptions, or containers within a FedRAMP-authorized cloud platform. Remote users access the CUI environment through VPN connections into the isolated segment, or through a Virtual Desktop Infrastructure (VDI) that renders CUI on a remote server without local data storage on the endpoint. Regardless of approach, all isolation measures must be documented in the SSP.
What is the CMMC Scoping Guide and where can I find it?
The CMMC Scoping Guide is a set of official DoD guidance documents, one for each CMMC level, that define the asset categories, assessment boundaries, and scoping principles that contractors and assessors use to determine which systems, people, and services fall within the scope of a CMMC assessment.
The DoD publishes separate Scoping Guides for CMMC Level 1, Level 2, and Level 3. The Level 2 Scoping Guide is the most widely used, defining the five asset categories, CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets, and the security requirements applicable to each. The guides are published by the DoD CIO and are available at dodcio.defense.gov under the CMMC section.
The CMMC Level 2 Scoping Guide is a companion document to the CMMC Level 2 Assessment Guide (Version 2.13, September 2024). Contractors should use the current version of the Scoping Guide when defining their assessment boundary, as the DoD updates these documents to clarify ambiguities and incorporate lessons learned from early assessments.
Explore Blogs, Webinars and other Resources
Trusted by Reputed Companies
What Our Clients Say
We used databrackets (formerly EHR 2.0) in our small medical practice for our risk analysis assessment to be in compliance with meaningful use. Their response was fast, the final report is detailed but simple and easy to follow. They were always available to answer our questions.
E. Compres
Pulmonary and Sleep Center of the Valley
I never miss the opportunity to learn something new …that’s why I am always registering to all free seminars offered on the web. databrackets (formerly EHR 2.0) happened to be the friendliest, comprehensive and up-to- date source of HIPAA Privacy and Security updates.
Alexandra V.
Community Healthcare Network
Today’s presentation was great! Thank you for sending the slides. My only feedback is that it would be fabulous to have the slides ahead of time so I could print them and take notes on the slides.Thanks for your time and knowledge today!
T.B., PM
Community Health Network
Particularly interesting was the flow chart on Administrative Simplification. I utilize all of the Security subcategories you list under the Security tile and appreciate knowing that I am hitting all of the relevant topics during my employee training.
Jessica B.
JD, CHC
I have re-worked our original risk assessment….We are using databrackets' (formerly EHR 2.0) Meaningful Use Security Risk Analysis Toolkit and it meets our needs. It was easy to use and I believe that it very beneficial to our meeting meaningful use.
Bill Curtis
Neurosurgical Associates Of Texarkana, TX
Information (webinars) presented by databrackets (formerly EHR 2.0) highlights some of today’s most demanding healthcare topics. The webinars help to direct those operating in today’s rapidly changing environment in the right direction.
Candace M.
Privacy and Security Officer, Springhill Medical Center
Our Growing List of Credentials
0
+
Assessments
0
+
Clients
0
+
Assessment Libraries
0
+
Years of Experience
0
+
No. of Staff Trained
0
+
HIPAA
0
+
SOC 2 Readiness
0
+
Pen Testing
0
+
ISO 27001 Certifications
0
+
Dollars Saved in Compliance Penalties