Scoping is the most consequential decision in your CMMC program. Get it right and you build a manageable, cost-effective program. Get it wrong and you either over-scope your environment (expensive, complex, unnecessary) or under-scope it (assessment findings, failed certification, legal exposure).
The CMMC Assessment Boundary determines exactly what is included in your assessment. Everything inside the boundary must meet all applicable CMMC requirements. Everything outside the boundary is out of scope. Defining that line is a precise technical and policy exercise, not a judgment call.
This article explains how the CMMC Assessment Boundary is defined, what types of assets fall inside it, and how smart scoping decisions can reduce your compliance costs without creating risk.
What the CMMC Assessment Boundary Is
The CMMC Assessment Boundary includes all assets that:
- Process, store, or transmit CUI (for Level 2) or FCI (for Level 1), or
- Provide security protection for those assets, even if they do not touch CUI directly
That second category is where most scoping mistakes happen. Assets that protect CUI-handling systems are in scope even if no CUI ever flows through them. This includes:
- Firewalls protecting CUI network segments
- Identity providers (Active Directory, Okta, Azure AD) that authenticate users who access CUI systems
- Endpoint detection and response (EDR) platforms monitoring CUI endpoints
- Security information and event management (SIEM) systems collecting logs from CUI systems
- Patch management systems deploying updates to CUI systems
- Backup systems holding copies of CUI data
- IT management tools (RMM platforms) used by MSPs to manage in-scope systems
Asset Categories in CMMC Scoping
The CMMC program defines several asset categories for scoping. Each category has different implications for what requirements apply.
CUI Assets (Directly In Scope)
Assets that process, store, or transmit CUI. Every CMMC Level 2 requirement applies to these assets. Examples:
- Workstations where engineers open and work with CUI documents
- File servers containing CUI data
- Email systems where CUI is transmitted
- Collaboration platforms where CUI is shared (Microsoft Teams, SharePoint)
- VPN endpoints that carry CUI in transit
Security Protection Assets (In Scope)
Assets that provide security functions for CUI assets. All CMMC requirements apply. Examples:
- Active Directory domain controllers that authenticate users to CUI systems
- Firewalls protecting the CUI network segment
- EDR/antivirus platforms monitoring CUI endpoints
- Log management systems collecting events from CUI assets
Contractor Risk Managed Assets (Potentially Reducible)
Assets that can process, store, or transmit CUI but where the contractor takes responsibility for managing the risk without full CMMC assessment. These require documented risk management and security controls. The contractor acknowledges the risk in the SSP and accepts accountability.
This category requires careful handling. Assets designated as Contractor Risk Managed must have appropriate controls and documented justification. Assessors will scrutinize these designations.
Specialized Assets (Handled Differently)
Government-furnished equipment, IoT devices, operational technology (OT), and restricted information systems may qualify for specialized handling. The specific requirements depend on the asset type and whether CUI flows through it. These must be documented in the SSP with their handling rationale.
Out-of-Scope Assets
Assets that have no connection to CUI and do not provide security functions for CUI assets. These assets do not need to meet CMMC requirements. The key is that the separation must be real: logical or physical controls must prevent out-of-scope assets from accessing, affecting, or communicating with in-scope assets.
The Enclave Strategy: Reducing Scope Intelligently
The single most effective cost-reduction strategy in CMMC is limiting the CMMC Assessment Boundary through a well-designed CUI enclave.
An enclave is a defined segment of your IT environment where CUI handling is isolated. Rather than bringing your entire enterprise network into scope, you build a controlled environment specifically for CUI work and keep CUI out of the rest of your systems.
What a Minimal Viable Enclave Might Look Like
For a small defense contractor:
- 5-10 workstations designated for CUI work, running Windows 11 with hardened configuration
- A file server or cloud storage solution that meets FedRAMP Moderate (Microsoft GCC High, for example)
- A dedicated VPN for remote access to the enclave
- Active Directory or Azure AD with MFA for enclave authentication
- Firewall rules that prevent enclave traffic from routing to the general company network
- EDR deployed on enclave workstations
- Separate email for CUI communications (also in GCC High or equivalent)
The rest of the company's IT environment, including general business workstations, commercial email, non-CUI file shares, and accounting systems, remains outside the CMMC boundary.
Enclave Requirements to Get Right
For an enclave to hold up to CMMC assessment, the separation must be technically genuine and documented:
- Network separation: VLAN separation with firewall rules, or physical network separation. Network-level controls must prevent CUI from flowing to out-of-scope segments. Encryption between segments does not create logical separation.
- Authentication separation: Enclave systems should use either a dedicated identity provider or isolated accounts. If your company's general Active Directory controls access to both enclave and non-enclave systems, the domain controller is in scope.
- No CUI leakage: If an employee routinely copies CUI from the enclave to their general workstation for convenience, the general workstation becomes in scope. Technical controls (copy-paste restrictions, block USB on enclave systems, no cloud sync to personal accounts) prevent leakage.
- Documentation: The SSP must describe the enclave boundary, how it is enforced, and why assets inside and outside are categorized as they are. An assessor will review the SSP against the technical evidence.
Cloud Scoping: The FedRAMP Requirement
If CUI is processed, stored, or transmitted in a cloud environment, that cloud environment is in scope. For cloud services that are not under the organization's direct control, the CMMC program has specific requirements.
Cloud Service Providers (CSPs) processing CUI must meet the FedRAMP Moderate baseline at minimum, or the equivalent Department of Defense (redesignated the Department of War by executive order, September 2025) (DoD)-specific standard established in the December 2023 DoD equivalency memo.
What this means in practice:
- Standard Microsoft 365 (E3/E5) — sufficient for FCI, NOT sufficient for CUI
- Microsoft 365 GCC High — meets the FedRAMP Moderate standard for CUI
- Standard Google Workspace — sufficient for FCI, NOT sufficient for CUI
- Google Workspace for Government (appropriate tier) — verify FedRAMP Moderate authorization before using for CUI
- Consumer cloud storage (Dropbox, Box standard tier, OneDrive personal) — not authorized for CUI
If your organization stores CUI in a non-FedRAMP-authorized cloud service today, that is a gap that must be remediated before a CMMC assessment.
External Service Providers: MSPs and MSSPs Are In Scope
Two types of third-party service providers often create unexpected scope expansion:
- Managed Service Providers (MSPs): If an MSP manages systems within your CMMC boundary (patching, helpdesk, remote monitoring), the MSP is an External Service Provider (ESP) and is in scope for your assessment, even if no CUI is directly shared with the MSP.
- Managed Security Service Providers (MSSPs): If an MSSP provides security monitoring, log analysis, SOC services, or any security function for in-scope systems, the MSSP is an ESP and is in scope.
Both MSPs and MSSPs must be assessed as part of your CMMC assessment. The DoD FAQ (Rev 2.2) is explicit: even when CUI is not directly shared with the ESP, their role in managing or protecting CUI-handling systems puts them in scope.
When evaluating MSP or MSSP relationships for CMMC purposes, ask:
- Does this provider have access to (or manage) any systems in my CUI boundary?
- Does this provider log into, remote into, or have credentials for in-scope systems?
- Does this provider provide any security function for CUI-handling systems?
If the answer to any of these is yes, the provider is in scope.
VDI and Remote Desktop: Scoping Out Endpoints
One legitimate way to reduce scope is Virtual Desktop Infrastructure (VDI). Under specific conditions, physical endpoints connecting to a VDI environment can be excluded from the CMMC Assessment Boundary:
VDI endpoint exclusion conditions (per DoD FAQ E-Q7):
- Copy-paste is blocked at the VDI server level
- Only keyboard, video, and mouse (KVM) traffic reaches the endpoint
- Hardware MFA is enforced (the physical device uses a hardware token or CAC, not just a software token)
- No drive mounting from the endpoint to the VDI session
- Printing from the VDI session to local printers is blocked
When all five conditions are met, the physical endpoint is a thin client accessing the VDI, and the CUI processing occurs entirely on the in-scope VDI server. The physical endpoint is out of scope.
If any of these conditions are not met, the physical endpoint is in scope.
Documenting Your Scope in the SSP
The System Security Plan is where your scoping decisions are formalized. For each category of asset, the SSP must:
- List the asset or asset category
- Describe why it is in scope or out of scope
- Document the controls that maintain the separation (for out-of-scope assets)
- Describe any specialized handling (for government-furnished equipment, OT, etc.)
Assessors will compare your SSP documentation against technical evidence during the assessment. If your SSP says the general company network is out of scope but a firewall rule allows CUI workstations to communicate with general network resources, you have a finding.
Common Scoping Mistakes
- Treating the whole company as out of scope. Scope creep usually works in one direction: the boundary expands when assessors find connections between in-scope and supposedly out-of-scope systems. Define your boundary conservatively and enforce it technically.
- Forgetting the identity provider. If Active Directory authenticates users to CUI systems and to non-CUI systems from the same domain, the domain controllers are in scope. This surprises many organizations.
- Using commercial cloud for CUI. Standard M365 or Google Workspace for CUI processing puts your cloud environment in a non-compliant posture. This is a high-frequency gap in gap assessments.
- Not assessing your MSP. If your MSP manages in-scope systems, they must be included in your assessment scope. Many organizations are surprised when their MSP becomes part of the assessment.
- Claiming separation without enforcing it. Telling an assessor that the CUI environment is isolated while firewall logs show regular traffic between the "isolated" and "non-isolated" segments is a finding that will fail the assessment.
Key Takeaways
- The CMMC Assessment Boundary includes all CUI-handling assets AND assets that provide security protection for CUI-handling systems
- A CUI enclave strategy can significantly reduce assessment scope and cost
- Network encryption does not equal logical separation
- CSPs processing CUI must meet FedRAMP Moderate (standard M365 and Google Workspace do not)
- MSPs and MSSPs managing in-scope systems are External Service Providers and are in scope
- VDI endpoints can be scoped out under specific, strict technical conditions
- All scoping decisions must be documented in the SSP
Learn More
For the complete CMMC framework, see the CMMC 101: The Complete Guide to CMMC Compliance for Defense Contractors.
Related articles in this series:
Need expert help defining your CMMC Assessment Boundary? Getting scope wrong at the start costs you throughout the entire program. NR Labs conducts CMMC scoping reviews as part of our gap assessment engagement. Contact us to get it right from the beginning.
