Scoping

Scoping is the process of determining which parts of your organization, networks, and systems fall under CMMC assessment requirements. Proper scoping identifies the boundaries of your CUI environment — which systems process, store, or transmit CUI, and which systems can be excluded from the assessment.

Scoping involves categorizing your assets: CUI assets (directly handle CUI), security protection assets (provide security for CUI assets), contractor risk-managed assets (can but don't process CUI), and out-of-scope assets. Getting this right early saves enormous time and money.

Why It Matters

Scoping is one of the first and most consequential steps in your CMMC journey. Over-scoping wastes resources securing systems that don't need it. Under-scoping creates gaps that assessors will find, leading to failed assessments.