CMMC Scoping Guide: How to Define and Limit Your Assessment Boundaries

Estimated reading time: 12 minutes

Last Reviewed: 2/28/2026

Key Takeaways

• A CMMC scoping guide defines the systems, assets, and people that must meet DoD cybersecurity expectations so effort is not wasted on out-of-scope technology.
• Precise, documented boundaries keep compliance costs manageable, prevent scope creep, and give assessors a defensible narrative.
• Following an agreed-upon five-step process with a scoping decision log builds a repeatable framework that auditors respect.

Introduction

Getting your CMMC scoping guide right is one of the most important steps any Department of Defense contractor can take before pursuing certification, because the audit boundary determines where controls must be enforced.

A scoping guide is the structured process and reference document that maps every system, asset, user, and process that might create, store, transmit, or support Controlled Unclassified Information or Federal Contract Information.

Without a clear scoping guide, contractors risk two costly outcomes: they either take too much of their environment into scope and inflate compliance costs or they leave critical paths unmonitored and invite compliance gaps.

A well-built scoping guide accelerates audit readiness, prevents scope creep, and gives assessors a clear, defensible picture of your environment, while also protecting you when a Certified Third-Party Assessment Organization (C3PAO) reviews your submission.

This post provides a step-by-step CMMC scoping guide that defense contractors can use today, whether they are preparing for Level 1, Level 2, or Level 3 certification.

What Is CMMC Scoping?

CMMC scoping is the systematic identification, classification, and delimitation of the organizational environments, information types, and technology assets that require CMMC practices, so that you can focus controls where they matter.

Within the CMMC framework, scoping is not just deciding which computers to evaluate; it is a deliberate process of defining which people, processes, and technologies interact with Controlled Unclassified Information or Federal Contract Information — and under DFARS 252.204-7012 you must protect both data types across internal and third-party systems.

Why scoping matters for cost and risk: Right-sized scoping controls compliance costs by applying protections only where they are needed, while over-engineering the boundary drives up remediation and maintenance expenses, and under-scoping exposes you to security risk and failed assessments.

Organizational scoping versus assessment scope: Organizational scoping maps enterprise-wide touchpoints for sensitive data, while assessment scope defines the specific enclave that an assessor will evaluate; many contractors segment CUI handling to a particular network or location so they can keep the rest of the company out of scope.

Core Concepts in the CMMC Scoping Guide

The foundation of your scoping guide includes accurate classification, clear boundary definitions, and a method for deciding what is in scope and out of scope.

Data Classification: CUI and FCI Defined

Controlled Unclassified Information includes technical drawings, manufacturing specifications, export-controlled data, and other sensitive materials that the government creates or possesses but does not classify, while Federal Contract Information is data provided by or generated for the government under contract and has safeguarding requirements under FAR 52.204-21.

Classification errors, such as missing legacy file shares that contain CUI or treating FCI as ordinary business information, often poison an assessment before the controls are even evaluated.

System Security Plans and Boundary Identification

A System Security Plan (SSP) documents your system architecture, the security controls you have in place, and the parties responsible for each control, and it must describe both physical boundaries like data centers and logical boundaries such as VLAN segmentation.

Network diagrams and data flow maps are required evidence for those boundaries, showing every path that CUI takes through your environment, and the SSP must align to NIST SP 800-171 Rev. 2 controls.

In-Scope vs. Out-of-Scope Assets

In-scope assets include any infrastructure directly handling CUI or FCI, supporting its flow, or affecting the security of those systems, from workstations to mobile devices and the administrators behind them.

Out-of-scope assets handle only public data, cannot technically reach CUI systems, and lack administrative access to in-scope resources, but every exclusion must be justified with specific controls such as firewall rules or VLAN isolation so that assessors understand the separation.

The Five-Step Scoping Process

On-Site Technology calls this the Five-Phase CMMC Boundary Definition Process, and it keeps scoping complete, repeatable, and defensible for every Department of Defense contractor.

1. Step 1 — Inventory All Information Types: Capture every structured and unstructured data element, media type, removable storage location, and collaboration channel; NIST SP 800-171 Rev. 2 domains such as Configuration Management and System and Information Integrity guide what to capture.
2. Step 2 — Map CUI and FCI Flows: Document inputs, storage, processing, outputs, and transmission paths, and hunt for hidden flows like personal email copies or consumer cloud synchronization that silently expand your attack surface.
3. Step 3 — Identify System Boundaries and Enclave Definitions: Define each enclave with both logical and physical controls, ensuring that segmentation is technically enforced, not just administratively declared.
4. Step 4 — Determine In-Scope Controls: Build a cross-reference matrix mapping each CMMC practice to the exact system, component, or policy that implements it so assessors can verify coverage easily.
5. Step 5 — Document Exclusions and Justifications: Maintain a scoping decision log that records every exclusion, the rationale, the date, and the approver to demonstrate that boundaries were deliberate and reviewed.

The documented log becomes a vital artifact during assessments, proving that your boundary decisions are defensible, not arbitrary.

Using the Official CMMC Scoping Guide Template

A standard template keeps scoping consistent across engagements and highlights the key components that assessors expect to see for any CMMC level being pursued.

Section A — Introduction and Scope Statement: Articulate the purpose, the targeted CMMC level, and a concise statement describing what is included or excluded from the assessment boundary.

Section B — Asset Inventory and CUI/FCI Mapping: List every asset, tie it to its data classification, and include data flow context so reviewers understand how information moves.

Section C — Boundary Diagrams and Descriptions: Attach current network diagrams, boundary narratives, and enclave definitions that mirror your written justification.

Section D — Scoping Decisions and Exclusions: House the decision log, including the approvals that confirm exclusions were reviewed by stakeholders.

• Use precise language, define every acronym, reference specific contracts and systems, and cite IP ranges or VLANs rather than generic phrases.
• Attach current diagrams, not legacy versions, and capture document version control metadata such as revision date and owner for each update.
• Link each exclusion to a technical control or administrative process so that auditors understand how the boundary is enforced.

• Vague scope statements like “all company systems” tell an assessor nothing, while precise definitions such as “systems within VLAN 10 at the Newark facility that handle CUI” are auditable.
• Missing third-party providers such as managed service vendors or subcontractors who touch CUI creates critical gaps in the assessment narrative.
• Unjustified exclusions prompt deeper scrutiny, so avoid dismissive rationales and document every separation carefully.

Scoping by CMMC Level

CMMC scoping expectations change as you climb the maturity ladder, so align your boundary strategy with the specific practices for each level.

Levels 1 and 2: FCI and Basic CUI Safeguarding

At Level 1 the scope centers on FCI, with the 15 basic safeguarding practices from FAR 52.204-21 applied to every system that processes, stores, or transmits that data and may include a single dedicated workload or shared drive with strict access controls; Level 2 expands the scope to include CUI and requires alignment with all 110 NIST SP 800-171 Rev. 2 practices, making boundary definition significantly more complex.

Level 3: Advanced CUI Environments

Level 3 adds controls from NIST SP 800-172 and demands a granular enclave structure with strict access controls, multi-factor authentication at every boundary, and separation between development and production; the Cybersecurity and Infrastructure Security Agency (CISA) offers supplemental guidance that helps contractors protect high-sensitivity CUI, and we recommend a scoping specialist prior to finalizing those boundary definitions.

Best Practices for Your CMMC Scoping Guide

These habits ensure your scoping guide is accurate, defensible, and up-to-date.

Build a Cross-Functional Scoping Team

Scoping is not an IT-only exercise; include IT operations, information security, legal counsel, and contracting staff so every contract obligation and sensitive data type is identified, and schedule structured workshops with stakeholder sign-offs because assessors now expect documented cross-functional involvement as of 2026.

Use Automated Discovery and Inventory Tools

Manual inventories go stale quickly, so leverage asset management platforms, network discovery scanners, and Configuration Management Database (CMDB) integrations to track shadow IT, unauthorized devices, and undocumented data stores in real time.

Maintain the Scope Over Time

Treat scoping as an ongoing program; define rescoping triggers such as new contracts, system upgrades, staffing changes, or organizational shifts, and keep a version history so every update is traceable.

Common Scoping Challenges and How to Overcome Them

Understanding frequent stumbling blocks helps you stay ahead of auditor questions.

Under-Scoping: Hidden Data Flows

Hidden CUI flows from BYOD policies, shadow IT, personal cloud storage, or consumer sync tools are often the most dangerous omissions, and mitigation requires staff interviews, endpoint visibility, gap analyses, and more than a single network scan.

Over-Scoping: The Cost of Inclusion

Including systems that cannot reach CUI, have no administrative access, and are physically separated increases remediation costs and slows assessments, so use risk-based filtering and document why lower-impact systems were excluded.

Documentation Gaps and Inconsistent Terminology

Calling the same system by different names or using “network” interchangeably with “enclave” confuses assessors; standardize terminology, require executive sign-off, and ensure every exclusion carries a technical rationale and approval signature.

Next Steps After Scoping

Once scoping is complete, quickly turn those decisions into artifacts that auditors rely on.

Integrating Your Scope into the System Security Plan

Update the SSP immediately with enclave definitions, tagged asset categories, and documented exclusions, attach diagrams and decision logs, assign named responsible parties, and conduct a mock assessment with your scoping artifacts before engaging a C3PAO.

Preparing for Assessment

Walk through every CMMC practice, verify that your cross-reference matrix links controls to the right enclaves, and identify gaps well before the official audit, because CMMC-AB guidance shows organizations that pre-review their scope close far more gaps.

Continuous Monitoring and Scope Maintenance

Define rescoping triggers such as contract changes, major upgrades, new third-party vendors, and reorgs, assign a named owner, set a quarterly review cadence, and integrate scoping into your change management process so no major change bypasses the impact assessment.

Conclusion

A rigorous CMMC scoping guide is the foundation of a successful, cost-effective certification program because it gives your team a repeatable framework — inventory, map flows, define boundaries, align controls, document exclusions — that scales from Level 1 through Level 3 and holds up under assessor scrutiny.

Ready to define your assessment boundary? Download our free CMMC scoping worksheet to get started, or schedule a scoping workshop with the On-Site Technology team, which works with defense contractors across Northern New Jersey and beyond to build accurate, audit-ready scoping guides.

Frequently Asked Questions

What is a CMMC scoping guide and why should our team build one?

A CMMC scoping guide documents which assets, systems, and processes handle CUI or FCI so that controls are applied where they are required, reducing excess cost and giving assessors a clear, defensible view of the environment.

How often should we revisit our scope?

Review your scope after every major change, such as new contracts, system upgrades, personnel shifts, or organizational restructuring, and maintain a version history with at least quarterly check-ins to catch changes before the next assessment.

How do we document exclusions so an assessor understands the boundary?

Maintain a scoping decision log that records every exclusion, the rationale, the approver, and the technical control (such as firewall rule sets or VLAN isolation) that enforces separation, proving that boundary decisions are deliberate and reviewed.