Skip to Content

How to Scope Your CMMC Level 2 Assessment Boundary

Scoping is the decision that shapes the cost, duration, and outcome of a CMMC Level 2 assessment. Get it wrong and no configuration change can save you.
June 29, 2026 by
How to Scope Your CMMC Level 2 Assessment Boundary
William Yeack (YGI Solutions)

Most teams approach Cybersecurity Maturity Model Certification (CMMC) Level 2 as a list of one hundred and ten controls to satisfy. That framing is correct but incomplete. Before any control applies, you have to decide where it applies. That decision is your assessment scope, and it is the most consequential and most frequently mishandled part of the entire effort.

Over-scope and you pay to secure systems that never touch sensitive data. Under-scope and an assessor finds Controlled Unclassified Information on a system you excluded, which can end an assessment before it finishes. This guide explains how to draw the boundary deliberately.

Start with the data, not the network

CMMC Level 2 protects Controlled Unclassified Information (CUI). Level 1, by contrast, protects only Federal Contract Information and carries fifteen basic safeguarding requirements. Level 2 aligns fully with NIST SP 800-171 and its one hundred and ten requirements across fourteen families. The first scoping question is therefore not architectural. It is informational: where does CUI actually live, move, and rest in your organization?

  • Identify every contract and data flow that introduces CUI.
  • Trace each flow through email, file storage, collaboration tools, endpoints, and any printed output.
  • Note where CUI is created, where it is received, and where it is transmitted onward to subcontractors.

Sort assets into the CMMC categories

The program defines several asset categories, and each is treated differently in an assessment. The practical goal is to keep the set of assets that store, process, or transmit CUI as small and as clearly bounded as is realistic, while honestly accounting for the systems that protect or connect to that boundary.

  • CUI assets

     that store, process, or transmit Controlled Unclassified Information. These are fully in scope.

  • Security protection assets

     that provide security functions to the boundary, such as identity providers and logging systems.

  • Contractor risk managed assets

     that can access the environment but are governed by policy rather than full assessment.

  • Out-of-scope assets

     that are physically or logically separated and never handle CUI.

Decide on enclave versus whole-tenant

There are two broad architectures. You can place the entire organization inside a compliant environment, or you can stand up a separate enclave scoped specifically for CUI while the rest of the business continues in a commercial environment. For most small and midsize contractors, a deliberately scoped enclave is the more economical and more defensible choice, because it shrinks the boundary to the systems that genuinely require it.

The enclave decision is tightly coupled to your cloud environment. If your CUI is export-controlled under ITAR or EAR, or if a contract requires United States persons only to administer the systems, the enclave generally has to run in a sovereign environment. We cover that decision in detail in our guide to choosing between Microsoft 365 Commercial, GCC, and GCC High.

Write the System Security Plan (SSP) to match reality

Both self-assessments and third-party assessments require a System Security Plan that describes the assessment scope, the major system components, and how each control is implemented. The plan has to describe the environment that actually exists. A common and expensive failure is a plan that describes intended practices that are not consistently performed. Documented practices that the environment does not actually follow do not survive an assessor's scrutiny.

See exactly what your framework will take.

YGI can help you achieve FedRAMP.

Book a Call

Pressure-test the boundary before the assessor arrives

A gap assessment is not a formal step in certification, but it is the most useful first move available to you. It is a point-in-time review of your current program against the requirements, and it surfaces scoping errors while they are still inexpensive to fix. Many organizations conduct gap, readiness, and mock assessments at different stages. Treating the readiness review as a separate workstream, rather than a footnote inside remediation, is one of the clearest markers of teams that pass cleanly.

110

NIST SP 800-171 Requirements at CMMC Level 2

14

Control Families

180 Days

Maximum window to Close a POA&M Item

Why scoping is where a partner earns their keep

A configuration change cannot fix a scoping error. By the time an under-scoped boundary is discovered, the cost is measured in re-assessment fees and lost contract time. Scoping rewards judgment built from many engagements: knowing which assets a particular assessor will challenge, where CUI tends to leak across boundaries, and how to keep an enclave small without leaving a gap. That judgment is the core of what YGI Solutions brings to a Level 2 program, and it is the hardest part to build from scratch under contract pressure.

# CMMC
Share