CMMC Scoping For Defense Contractors: A Practical Guide

Implementing security controls for Cybersecurity Maturity Model Certification (CMMC) compliance is only the first step. Defense contractors need to know exactly what information they're protecting and how. Without proper CMMC 2.0 scoping, you'll waste time securing systems that don't need it and miss the ones that do.

If you map your Controlled Unclassified Information (CUI) flow and define system boundaries early, you'll cut costs, simplify audits, and reach CMMC compliance faster. This works whether you're going for Level 2 certification or running a self-assessment for Level 1.

This guide breaks down CMMC scoping step by step. You'll learn how to categorize assets, set boundaries, and keep your compliance process on track—without the guesswork.

What is CMMC Scoping?

CMMC scoping identifies which vendors, systems, and assets touch Controlled Unclassified Information (CUI) or Federal Contract Information (FCI) in order to ensure your organization meets Department of Defense (DoD) security requirements.

Your scoping decisions shape everything: audit costs, complexity, and which security controls you'll implement. Any scoped items will need to be assessed by a Certified Third Party Assessor Organizations (C3PAOs) during your CMMC audit to ensure requirements are met.

The goal of scoping is to ensure your organization meets DoD requirements for protecting CUI and FCI without using up time, resources and cash on systems that aren’t in scope for CMMC.

What's in scope depends on your CMMC level. This guide focuses on Level 2 scoping and asset categories, where most defense contractors need to be.

Why Asset Categorization Matters

Asset categorization is the process of organizing systems and devices based on how they interact with CUI or FCI, so you know which assets need full security controls, which need limited protection, and which are out of scope for your CMMC assessment.

Get categorization right, and you reduce your compliance burden by applying CMMC controls only where needed. Your security improves because you're protecting the systems that actually handle CUI. You save money by skipping unnecessary security tools. And when assessors arrive, you hand them clear, justified scope boundaries that speed up the entire process.

How To Identify In-Scope Assets For CMMC Level 2

For CMMC Level 2, in-scope assets are those that process, store, or transmit CUI. The DoD scoping guidance defines four key asset categories you must address:

1. CUI Assets

CUI assets are systems, devices, or cloud services that stores, processes, and transmits CUI. Common types of CUI assets include file servers, technical drawings, user devices and cloud storage, export-controlled research data, and contract details.

2. Security Protection Assets (SPAs)

SPAs are assets that provide security functions for your environment and protect CUI even if they don’t hold it directly. SPAs are in-scope for CMMC compliance because they could expose CUI if compromised.

Common types of SPAs include Firewalls, authentication servers, Security Information and Event Management (SIEM) platforms, and anti-virus servers.

3. Contractor Risk Managed Assets (CRMAs)

CRMAs connect to CUI systems but don’t process, store, or transmit CUI due to security policies or technical controls. You can decide whether to harden or segment them to meet security requirements.

Common types of CRMAs include Shared file servers, admin workstations, devices accessing a virtual desktop infrastructure (VDI).

4. Out-of-Scope Assets

Out-of-scope assets can only be categorized as such because they are physically or logically isolated from CUI and its protection assets. No CUI access, no data flow, period — you'll need documented isolation and access controls to prove it. Once verified, these assets skip the CMMC assessment entirely.

Common out-of-scope assets include personal use assets, third-party tools and services, and non-sensitive documents.

How To Map Data Flows of CUI

After outlining what assets are in scope for CMMC assessment, you need to map out how CUI moves through your organization: how it enters your systems, which paths it takes, where it gets stored, and how it exits.

Here’s about to map CUI data flows:

1. Identify CUI Entry Points

The first step is a Data Flow Diagram (DFD) to visualize where CUI enters your systems. For example: Email servers or attachments, uploads from subcontractors, DoD or customer web portals, or secure file transfers.

2. Track Internal Processing and Storage

Follow CUI through every system (apps, databases, storage media) and document which users, servers, cloud platforms, and backup systems touch this data. Where most organizations run into issues is hidden flows, so make sure you check automated scripts, shared drives, and any system that syncs or copies data automatically.

3. Pinpoint CUI Exit Channels

Map where where CUI leaves your environment, whether through customer reports, vendor exchanges, or regulatory submissions. Every exit point is a critical control area that requires security encryption, access restrictions, and logging to maintain compliance.

Implementing Network Segmentation and Security Measures

To minimize the users and systems in your environment that must meet all 110 NIST SP 800-171 controls aligned with CMMC Level 2 practices, you can implement network segmentation.

Network segmentation helps create a defined CUI enclave to safeguard sensitive information, by isolating CUI environments from less sensitive networks and reducing the scope of your CMMC assessment. This can lower ongoing compliance costs and assessment complexity.

• Technical controls: Use Virtual Local Area Networks (VLANs) and firewalls to separate networks and enforce traffic rules.
• Administrative controls: Define policies for access, change management, and ongoing monitoring to maintain separation.
• Physical separation: For highly sensitive environments, consider deploying dedicated hardware.
• Cloud segmentation: Within cloud providers, apply virtual networks, security groups, and identity-based access controls.

Dealing With Specialized Systems and Third-Party Dependencies

Specialized systems perform critical functions but often can't meet every CMMC requirement. You still need these systems identified, documented, and protected according to CMMC scoping guidance, without breaking essential operations.

How To Maintain Compliance Over Time

CMMC scoping is not a one-off task. Organizations evolve, with new systems added regularly, changing processes, and vendors that come and go. Maintaining accurate scope is critical to ongoing compliance.

1. Regularly Update Asset Inventories

Keep a current inventory of all in-scope assets and any external service providers (ESP)that handle CUI.

Whenever organizational changes occur like new systems deployed or existing systems retired, document in the inventory. Consider automated tools for real-time asset discovery and maintenance.

2. Reassess Network Segmentation

Continuously reassess your network to ensure it remains segmented. Update your System Security Plan (SSP) and conduct periodic self-assessments to validate that firewalls, access controls, VLANs, and cloud configurations still isolate CUI properly.

3. Conduct Periodic Internal Audits

Don’t wait for external audits. Self-assess your CMMC scope on a periodic schedule. This is typically quarterly or whenever significant changes in your organization occur. Focus audits on critical systems, asset inventories, and third-party connections.

Key validation points include:

• All of your CUI systems identified and documented
• Well-functioning segmentation and access controls
• Up-to-date evidence of third-party compliance, including subcontractors.

CMMC Scoping For Defense Contractors: Next Steps

Proper CMMC scoping helps to streamline your organization’s CMMC compliance efforts. By correctly identifying in-scope assets and mapping CUI flows, you can control costs and  prepare for certification, while strengthening your overall cybersecurity posture.

After CMMC scoping, here are some next steps to consider:

• Conduct a gap analysis and develop a remediation roadmap, either in-house or with assistance from a registered provider organization (RPO), like Workstreet.
• Implement security measures with updated security controls and a SSP.
• Prepare for the official CMMC assessment by finalizing documentation and selecting a C3PAO.

Whether you’re preparing for CMMC Level 2 certification or want to maintain ongoing compliance, Workstreet helps you protect CUI while automating CMMC compliance.

We solve for 100% of CMMC Level 2 requirements, including comprehensive assessment of scope and data mapping. Workstreet is the only AI-powered RPO helping you get compliant, fast. It’s why we’re trusted by leading companies like Clay and Cursor.

Undergo data scoping and mapping with confidence. Schedule a call.

CMMC Scoping FAQs

How does proper CMMC scoping reduce assessment costs?

Accurate scoping limits the final CMMC assessment to only necessary systems. This reduces the time and resources needed for preparation and evaluation, which directly lowers costs by avoiding unnecessary remediation.

What documentation is required for CMMC scoping decisions?

Your organization should maintain clear records and documentation including asset inventories, network diagrams, and data flow maps for all scoping decisions. This documentation will demonstrate the reasoning behind what is in-scope and what isn’t.

How does cloud computing impact CMMC scoping?

Cloud environments require precise scoping to define responsibilities between your organization and cloud service providers. To ensure CUI is protected well, cloud systems should be correctly included in scope where necessary.