Defining the scope of your CUI environment is the first and most critical step in preparing for CMMC Level 2. Get it right, and the rest of the program is achievable.
Defining the scope of your Controlled Unclassified Information (CUI) environment is the first and most critical step in preparing for a CMMC Level 2 assessment. Proper scoping ensures you know exactly which assets, people, and systems fall within your compliance boundary — and it can make the difference between a smooth certification process and costly setbacks.
The Five Asset Categories
Per the CMMC Scoping Guide, every asset in your enterprise falls into one of five categories:
- CUI Assets — process, store, or transmit CUI. Fully in scope, all 110 controls.
- Security Protection Assets — provide security functions to CUI assets (SIEM, EDR consoles, identity providers). Fully in scope.
- Contractor Risk Managed Assets — capable of touching CUI but managed via policy to prevent it. In scope but limited assessment.
- Specialized Assets — IoT, OT, government furnished equipment, restricted information systems, test equipment. In scope with tailored treatment.
- Out-of-Scope Assets — physically and logically separated from CUI, no capability to touch it.
A Practical Scoping Checklist
1. Inventory every active contract and confirm CUI presence. 2. Identify every system and user that handles CUI today. 3. Draw the data flow — ingestion, processing, storage, transmission, disposal. 4. Define the boundary (typically a hardened enclave on FedRAMP-authorized infrastructure). 5. Categorize every asset into one of the five buckets and document the rationale. 6. Codify the boundary in the System Security Plan with diagrams. 7. Validate with a tabletop walkthrough before engaging a C3PAO.
The narrower and more defensible your boundary, the cheaper and faster your assessment.
