CMMC Scoping Guide: Defining Your CMMC Assessment Scope with Asset Types, Scope Boundaries, and In-Scope Systems

Estimated reading time: 8 minutes

Key Takeaways

• CMMC Scoping Guide defines which assets, systems, and processes are evaluated for compliance.
• Accurate identification of asset types streamlines control implementation.
• Clear scope boundaries prevent scope creep and optimize audit costs.
• Detailed mapping of in-scope systems ensures appropriate security controls.
• Ongoing scope maintenance preserves compliance as environments evolve.

Introduction

A CMMC scoping guide is the foundational framework that determines which systems, assets, and processes will be evaluated during your CMMC assessment, ensuring you invest in the right controls and protect critical information.

Learn more about preparing for CMMC certification with our CMMC Compliance Readiness Services. Organizations facing Cybersecurity Maturity Model Certification (CMMC) compliance often struggle with properly defining their assessment boundaries, leading to significant challenges. For an overview of what CMMC entails, see our guide on What Is CMMC Compliance.

Improper scoping can create serious problems: under-scoping leaves critical systems vulnerable and non-compliant, while over-scoping unnecessarily increases audit costs and implementation complexity. Getting it right matters for both compliance success and operational efficiency.

In this comprehensive guide, we’ll walk you through the essential elements of defining your CMMC assessment scope, including CMMC asset types, CMMC scope boundaries, and CMMC in-scope systems. You’ll learn practical approaches to accurately determine what needs protection and what can safely remain outside your compliance boundary.

What Is a CMMC Scoping Guide?

A CMMC scoping guide is a documented process that systematically identifies and categorizes all assets, systems, and processes that handle Controlled Unclassified Information (CUI) or Federal Contract Information (FCI). This critical document establishes clear boundaries for your CMMC assessment scope, helping streamline audit processes and reduce compliance risks.

The scoping guide serves several essential purposes:

• It reduces audit complexity and associated costs by clearly defining what systems require evaluation
• It focuses your security controls implementation efforts exclusively on in-scope systems
• It provides documented rationale for auditors, simplifying the assessment process
• It helps prevent scope creep during implementation and assessment phases

Without a proper scoping guide, organizations often struggle to determine where to apply controls, leading to inefficient resource allocation and potential compliance gaps. A detailed breakdown of CMMC requirements is available in our comprehensive guide to CMMC Requirements for Defense Contractors. Your scoping guide becomes the roadmap for your entire CMMC compliance journey.

A well-crafted CMMC assessment scope ensures that you’re protecting what matters while not wasting resources on systems that don’t require the same level of security controls.

Identifying CMMC Asset Types

CMMC asset types refer to the various categories of hardware, software, data, network components, and cloud services that store, process, or transmit CUI/FCI within your organization. Properly identifying these assets is the first critical step in defining your scope. To understand how these asset types align with specific CMMC practices and domains, refer to our post on CMMC 2.0 Updates.

Key Asset Categories

• Hardware Assets: These include physical devices like servers, workstations, laptops, mobile devices, storage media, and IoT devices that might access or store protected information.
• Software Assets: All operating systems, applications, databases, security tools, and custom-developed software that interact with CUI or FCI fall into this category.
• Data Assets: This encompasses files, emails, databases, and any other information repositories containing CUI or FCI, regardless of format or storage location.
• Network Components: Elements like routers, switches, firewalls, load balancers, wireless access points, and other connectivity devices that transmit protected information.
• Cloud Services: All SaaS applications, IaaS virtual machines, PaaS environments, storage buckets, and other cloud resources handling protected information.

Inventory Best Practices

• Deploy automated discovery tools to scan your network for connected devices and applications
• Conduct stakeholder interviews across departments to uncover hidden or legacy systems
• Document the owner, location, function, and classification of each asset
• Update your inventory continuously as assets change, are decommissioned, or new ones are added
• Cross-reference inventory against procurement records to identify gaps

Remember that incomplete asset identification is one of the primary reasons organizations fail to achieve proper CMMC compliance. Take time to be thorough in this discovery phase.

For detailed NIST guidelines, see NIST SP 800-171 Rev. 2.

Establishing CMMC Scope Boundaries

CMMC scope boundaries define the limits of your assessment by establishing clear physical, logical, and contractual boundaries around systems handling CUI/FCI. These boundaries determine where your security responsibilities begin and end. Stay current on when and how boundaries impact your CMMC 2.0 requirements with our CMMC 2.0 Updates guide.

Types of Boundaries

• Physical Boundaries: These include facilities, offices, server rooms, or secure areas where CUI/FCI is physically handled, stored, or processed. Physical boundaries might include entire buildings or specific secured zones within facilities.
• Logical Boundaries: These refer to network segmentation elements like VLANs, security zones, subnets, firewalls, or other mechanisms that isolate in-scope systems from the rest of your network infrastructure.
• Contractual Boundaries: These encompass third-party environments, such as cloud services or vendor systems, that handle your CUI/FCI under contractual agreements with the DoD.

Data Flow and Interconnection Mapping

• Create detailed data flow diagrams showing all points where CUI/FCI enters your environment, how it moves between systems, and where it might exit
• Overlay these data flows on network diagrams to clearly illustrate trust zones and security boundaries
• Identify all connection points between in-scope and out-of-scope systems
• Document security controls at boundary points where data transfers between zones

Boundary Documentation

• Clearly record all in-scope versus out-of-scope systems in your System Security Plan (SSP)
• Label all diagrams with clear indications of scope boundaries
• Provide written justification for any systems excluded from scope
• Maintain strict version control as boundaries change over time
• Include both high-level overview diagrams and detailed technical documentation

Well-defined CMMC scope boundaries prevent scope creep during assessments and help focus security investments where they matter most.

For best practices on network segmentation, see CISA’s network segmentation guidance.

Determining CMMC In-Scope Systems

CMMC in-scope systems include any IT resource that directly stores, processes, or transmits CUI or FCI, or that provides security services to protect this information. Identifying these systems accurately is crucial for compliance. For a deeper dive on level-specific requirements, check out our CMMC Level 2 Certification Process guide.

Examples of In-Scope Systems

• On-premises servers hosting contract documents, technical data, or other CUI
• Employee laptops, desktops, and mobile devices that access or store protected information
• Cloud instances, virtual machines, or containers storing or processing research data
• Business applications like ERP systems, CRM platforms, email systems, or document management solutions handling FCI
• Network infrastructure connecting CUI-handling systems
• Security systems protecting CUI environments (including monitoring tools)

Identification Best Practices

• Use data flow diagrams to trace all paths CUI/FCI takes through your environment
• Cross-reference your asset inventory with access controls lists and system logs
• Conduct workshops with IT teams, security personnel, and business units to validate findings
• Review contracts to identify which systems handle DoD information
• Map the information lifecycle from creation or receipt through processing, storage, and disposal
• Check remote access solutions and mobile device management systems

Remember that identification of in-scope systems isn’t a one-time activity. As your business evolves, new systems may enter scope while others may exit. Regular reassessment is crucial.

Defining Your CMMC Assessment Scope

Your CMMC assessment scope represents the final, comprehensive definition of which assets, systems, and boundaries will be subject to CMMC requirements. This scope forms the foundation of your compliance program and audit preparation.

Step-by-Step Scoping Process

1. Conduct a full asset inventory: Using your understanding of CMMC asset types and CMMC in-scope systems, create a comprehensive list of all potential in-scope elements.
2. Apply scope boundaries: Overlay your defined CMMC scope boundaries to exclude components that don’t process CUI/FCI or protect in-scope systems.
3. Map security requirements: For each in-scope asset, identify which specific CMMC practices and domains apply (e.g., Access Control, Identification and Authentication, Media Protection). For detailed domain mappings, see our CMMC Requirements for Defense Contractors.
4. Validate scope: Hold a workshop with IT, security, compliance, and business leadership to review and validate your proposed scope.

Avoiding Common Pitfalls

• Over-inclusion: Don’t unnecessarily include systems that never touch CUI/FCI. This increases compliance costs without security benefit.
• Under-inclusion: Ensure you don’t miss rarely used systems or temporary processing environments that still handle protected information.
• Poor documentation: Maintain clear records of all scoping decisions, including justifications for exclusions and boundary determinations.
• Ignoring vendor systems: Include third-party environments under DoD contracts in your scope assessment, particularly cloud services.

A well-defined CMMC assessment scope allows you to focus your compliance efforts where they’re needed while excluding systems that don’t require the same level of protection.

Maintaining and Updating Your CMMC Scope

CMMC compliance isn’t a one-time certification but an ongoing process. Your environment will change, and your scope must evolve accordingly. Establishing processes for maintaining scope accuracy is critical for sustained compliance.

Periodic Review Strategies

• Schedule quarterly or annual scope audits to verify all assets remain properly categorized
• Re-inventory assets after major IT deployments, migrations, or system decommissioning
• Update data flow and network diagrams whenever architecture changes occur
• Review scope after organizational changes like mergers, acquisitions, or new business functions

Change Management Process

• Establish a formal request procedure for new assets or architecture changes that might impact scope
• Include compliance review as part of your IT change management workflow
• Notify your compliance team of any potential scope impacts before implementation
• Document all change requests, approvals, and resulting scope updates
• Create a feedback loop from security monitoring to scope validation

Audit-Readiness Tips

• Centralize all scoping documents in a secure, accessible repository
• Implement version control for all diagrams, inventories, and system security plans
• Train staff on the importance of scoping and their role in maintaining accuracy
• Conduct periodic mock assessments to test scope documentation
• Create a scope change log to track modifications over time

Your CMMC scoping guide should be treated as a living document that evolves alongside your organization’s IT environment and business processes.

Conclusion

A robust CMMC scoping guide anchored by accurate CMMC asset types, clear CMMC scope boundaries, and well-defined CMMC in-scope systems is key to a precise CMMC assessment scope. The time invested in properly defining your scope will pay dividends throughout your compliance journey.

Organizations that master scoping tend to experience smoother assessments, more focused security investments, and fewer compliance gaps. By contrast, those that rush through scoping often face audit complications, unnecessary remediation costs, and potential security vulnerabilities.

Ready to start defining your CMMC assessment scope? Download our free CMMC scoping checklist and template to begin mapping your scope today. If you’re ready to take the next step toward certification, explore our CMMC Compliance Readiness Services.

Frequently Asked Questions

What is a CMMC scoping guide and why is it important?

A CMMC scoping guide defines which systems, assets, and processes require evaluation for CMMC compliance. It establishes clear boundaries, streamlines audits, and ensures that security controls focus on protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

How do I identify all assets that handle CUI or FCI?

Begin with a comprehensive asset inventory that includes hardware, software, data, network components, and cloud services. Use automated discovery tools, stakeholder interviews, and regular updates to ensure no asset is overlooked.

What are logical boundaries in a CMMC scope?

Logical boundaries refer to network segmentation elements such as VLANs, security zones, subnets, and firewalls that isolate in-scope systems from out-of-scope environments, controlling where sensitive data can travel.

How often should I update my CMMC scope?

CMMC scope should be reviewed at least quarterly or after any major changes like system deployments, migrations, or organizational restructures. Regular reviews help maintain accurate scoping and continuous compliance.