Skip to content

CMMC collection · Get certified

CMMC scoping: drawing the boundary that decides your cost

How to find your CUI, the five asset categories, when an enclave makes sense, and why scope is the biggest lever on CMMC cost and effort.

What is CMMC scoping?
CMMC scoping is the process of drawing the boundary around the systems, people, and facilities that will be assessed — determined by where CUI is processed, stored, or transmitted, and by what protects those places. Scope is decided before controls are assessed, and it is the single biggest driver of what certification costs.

Where does CUI actually hide?

The scoping failures we see rarely involve the file server everyone knows about. They involve the places CUI drifts to: email threads and attachments, engineering workstations with local copies, CAD/PLM systems, shop-floor machines holding technical data packages, commercial SaaS tools someone connected years ago, and backups of all of the above. Finding your CUI before the assessor does is the whole game — every location you find late is remediation you didn’t budget.

The five asset categories

  • CUI assets — process, store, or transmit CUI. Fully assessed against all applicable controls.
  • Security protection assets — provide security functions for the scope (your SIEM, your identity provider). Assessed for the functions they provide.
  • Contractor risk-managed assets — could touch CUI but are policed by policy not to. Documented, and assessors can spot-check the policing.
  • Specialized assets — OT, IoT, test equipment, government-furnished property. Documented in the SSP and managed by risk-based policies rather than every control.
  • Out-of-scope assets — physically or logically separated from CUI. Your job is making the separation defensible.

When does an enclave make sense?

An enclave — a separated environment purpose-built to hold CUI — makes sense when CUI touches a small share of your people and work. Move the CUI workflows in, keep the other ninety percent of the business out, and the assessment shrinks accordingly. It makes less sense when CUI is genuinely everywhere in your operations: forcing an enclave onto a business that lives in CUI all day trades assessment scope for daily friction, and friction is how CUI leaks back out to convenient-but-noncompliant places.

How scoping decisions cut cost

Every asset inside the boundary carries control obligations: hardening, monitoring, documentation, evidence. Shrinking the boundary is therefore the one decision that reduces every downstream line item at once — remediation, tooling, documentation, and assessment hours. It’s also the decision hardest to change late: re-scoping after remediation means redoing work. This is why a readiness assessment starts with the boundary, not the controls.

Frequently asked questions

What counts as CUI in a DoD contract?

Information the government creates or you create for the contract that law or policy requires safeguarding — commonly technical drawings, specifications, export-controlled data, and certain program information. Your contract's DD Form 254 and CUI markings are the starting point; when in doubt, ask the contracting officer in writing.

Is my whole company in scope for CMMC?

Only if CUI can reach your whole company. Scope follows the data: the systems that process, store, or transmit CUI, plus the assets that protect them. A well-built enclave can leave the rest of the business out of the assessment entirely.

Do cloud services fall in scope?

If CUI touches them, yes — and cloud services holding CUI generally need to meet FedRAMP Moderate (or equivalent) requirements. This is why CUI quietly living in commercial SaaS tools is one of the most expensive discoveries an assessor can make.

Can scoping really change my CMMC cost that much?

It's the single biggest lever. Every system inside the boundary needs the applicable controls implemented, documented, and evidenced — so halving the boundary roughly halves the remediation surface, the tooling footprint, and the assessment hours.

Free 30-minute readiness call

Walk into your CMMC assessment ready.

Book a 30-minute readiness call with a Fortwise advisor. No high-pressure sales — just a clear read on where you stand and what it takes to certify.

  • Confirm which CMMC level your contracts actually require
  • Pinpoint the gaps most likely to fail your assessment
  • Leave with a clear, prioritized path to certification

One-on-one with a CMMC advisor · No obligation · We never store your CUI