When defense contractors start their CMMC journey, most focus on controls, policies, and tools. But there’s a quieter step that determines whether your certification effort succeeds or stalls: scoping.
As Casey Lang, CyberSheath SVP of Compliance, put it during the CMMC Scoping Pitfalls webinar, “Scoping is critical. You have to identify the assets, the people, the processes that all relate to CMMC systems—those that process CUI. Without quality scoping, you risk readiness failures right at the start.”
Organizations often jump straight into implementing controls without first defining scope. That mistake leads to delays, costly rework, and sometimes a failed assessment. Here’s what you need to know to get scoping right.
TL;DR
- Scope first, then assess. Skipping scoping leads to delays and costly rework.
- Document everything. People, systems, hardware, software—and map real data flows.
- Engage the whole organization. IT alone can’t capture every CUI touchpoint.
- Use the scoping guide. Categorize assets correctly and justify your decisions.
- Keep scope current. Review monthly and tie updates to change management.
- Prepare evidence. What you say in your SSP must match what you can show.
- Get the CUI Guide to help safeguard Controlled Unclassified Information, a contractual and regulatory requirement of CMMC.
Why Scoping Comes First. Skip it, and You’ll Pay Later.
Erik Winkler, who heads the federal team at ControlCase, an accredited C3PAO, explained the certification impact: “If the scoping documentation is not complete, you won’t even get out of phase one of certification assessments. Missing documentation puts your schedule and certification progress at risk.”
Scoping isn’t just a technical exercise. It’s the foundation for everything else. Done well, it gives you a clear picture of where CUI lives, who touches it, and what systems protect it. Done poorly, it leaves blind spots that can derail your entire compliance journey.
What Scoping Really Means
Effective scoping starts with documenting every in-scope asset—people, systems, hardware, and software—and mapping how CUI flows through your organization. That means more than an IT network diagram or a quick inventory.
CMMC scoping is a comprehensive account of assets that touch CUI, backed by data flow diagrams that tell the story of how CUI actually moves. Assessors want to see movement—pre‑contract intake, how CUI is received, where it lands, who works with it, and how it’s transmitted or stored, including paper and hand‑carried media.
Casey stressed this point: “Your boundaries should be defined through the lens of how data moves. Jumping into tools or policies before conversations around data complexity is a common mistake.”
Involve the Whole Organization. IT Alone Can’t Do This in a Vacuum.
One of the biggest CMMC pitfalls is treating scoping as an IT-only task. CUI often touches teams far beyond the server room—contracts, business development, program managers, engineers, even finance. Erik put it simply: “Engage all stakeholders early. The more people you involve at the start, the more accurate your scope will be.”
If scoping lands only on IT’s desk, you’ll miss where CUI really lives. Casey called it out: “The people who know the data the best are the people who actually work with the data.”
Contracts and business development may receive specifications before award, program teams create or derive CUI as they build and deliver, and sometimes engineers print materials and stick them on pallets. It’s all part of the scope.
Erik sees this in assessments too: “You could be dealing with people in the finance department and contracts that may deal with FCI data, CUI data as well. So, it’s important to have everybody involved in the scoping process.”
Bottom line: widen the lens. The blind spots hide outside the server room.
Use the CMMC Asset Categories—the “Gift” that Makes Scope Defensible
We still call the DOD CMMC Scoping Guide a gift to the DIB because it gives contractors a shared language and structure. Erik summarized the categories that matter most:
- CUI assets: Systems/software that store, process, or transmit CUI; these must meet all 110 requirements aligned with NIST 800‑171.
- Security protection assets: Tools that provide security functions (AV, patching, log collection/monitoring). They’re in scope but don’t necessarily handle CUI content.
- Specialized assets: OT gear, embedded OS devices, manufacturing/test equipment that may touch CUI but can’t support every control; here, compensating controls and risk assessments matter.
- Out‑of‑scope assets: Assets sufficiently isolated so they neither store, process, nor transmit CUI—and are documented as such.
Casey’s take sums up why the guidance matters: “The CMMC scoping guideline gives some flexibility in what you do with specialized assets.” Use that flexibility but document it well.
Erik also advised sanity checks: don’t over‑ or under‑classify. “You don’t want to label everything as CUI asset, but you don’t want to under report CUI assets, as well.”
That balance is essential for a clean audit path and a scope that won’t collapse under questioning. Learn more about determining what’s in and out of scope.
Avoid the Common Scoping Pitfalls that Can Derail an Assessment
1. Missed platforms (the Linux “oh no” moment)
You can’t scope to Windows alone if engineering teams run self‑managed Linux workstations and touch CUI. Casey’s example is common and costly.
Erik explained the fallout: “If a CUI asset is not represented in the system security plan, that control would be marked as not met. Missing a platform could easily have you missing more than 50% of the 110 controls.”
That one gap ripples across access, audit, configuration, and documentation.
2. Overusing “security protection asset” as a catch‑all
Labeling everything as CUI creates unnecessary complexity. Casey reminded us: “Everything can’t be CUI. The government decides what CUI is—avoid over-classification.
3. Ignoring paper, printers, and hand‑carried media
It sounds old‑school, but paper is still a scope location. Erik reminded us: “You could have office spaces that come into scope as a CUI location. Printouts or documentation used to deliver the services.” Mark media per guidance; don’t leave physical handling out of scope.
4. Backup clients and cloud defaults you didn’t notice
End‑user backup apps that sync to consumer cloud? Document management tools that quietly back up “helpfully” to the vendor’s storage? These are scoping and DFARS headaches.
Casey flagged it: “If you have a backup client moving the data to some cloud service, then you have FedRAMP requirements related to the storage of CUI outside of the asset that you manage.” Know what your endpoint software does by default.
Learn more about following the flow of CUI.
Build a Scope You Can Defend. Then Prove It.
Assessors look first at your SSP, asset inventory, and data flow diagrams. If the flows make sense and the assets are categorized correctly, validation is faster. If things are vague, questions pile up.
Erik’s advice: “Don’t feel bad if you have to generate many, many data flow diagrams. I never mind seeing more detail rather than less.” Fifteen diagrams? Fine—if that’s what clarity requires.
And remember: VLANs aren’t segmentation. Flow control is segmentation. Casey warned that if your approach is isolation, “Make sure that network segment is actually controlling flow. Sometimes VLANs are just VLANs by name, and that’s not really separation at all.”
If you claim isolation, expect to demonstrate it. Erik added, “You want to validate that that flow control is working because the assessor may ask you to show proof.”
When it comes to external providers (MSPs/MSSPs), make sure to align responsibilities.
You’ll need customer responsibility matrices (CRMs) from external providers that clearly split what they manage and what you own. And your SSP should mirror that at the control objective level. Erik’s process: “We look for a CRM that tells you what controls you’re responsible for and which [they] manage. We validate against the CRM. As long as the two match up, there’s no issue.”
On MSPs, Casey shared a reality we see in audits: if the provider isn’t certified and their personnel directly touch your environment, “that thread usually gets pulled in a lot of depth.” When you work with a CMMC‑certified MSP like CyberSheath, it’s easier for assessors to confirm the controls the provider owns, and a smoother process for you.
Scope Management isn’t One‑and‑Done. Make Scoping a Living Process.
The moment your systems, workflows, or handling practices change, scope changes. Casey emphasized: “Scope management isn’t one and done. Continuous evaluation prevents costly rework and ensures readiness at every stage.”
Casey described our cadence: “On a monthly basis we’re asking, do you have business changes, acquisitions, divestitures, new technologies, new CUI handling use cases?”
Erik’s recommendation matches: “Do it at least monthly so you stay on top of it.” M&A, new cloud features, new backup settings—don’t wait for an audit to discover them.
Shifts in collaboration can also alter architecture choices—enterprise vs enclave vs hybrid. We’ve watched contractors move from enclave to enterprise (and back) as GCC High requirements, printing needs, or field workflows evolved.
Bottom line: manage scoping as your business changes, and you’ll be ready whether you’re scheduling a certification or fielding a DIBCAC visit.
What Assessors Want to See
When a C3PAO reviews your scope, they’ll look for:
- A complete System Security Plan (SSP)
- Accurate asset categorization
- Data flow diagrams that show how CUI moves
- Evidence that isolation and segmentation actually work (VLAN names aren’t enough—flow control matters)
If you remember one thing from the CMMC Scoping Pitfalls webinar, make it this: scope first. Scoping is the strategy that turns CMMC from a maze into a map. Because when you know exactly where CUI lives and how it moves, you know exactly which controls matter, where to apply them, and how to defend your decisions under assessment.
Need help building a defensible scope and keeping it current?
Get in touch with us. We’ll work with your stakeholders, map real data flows, right‑size your boundary, and prepare assessor‑ready documentation and evidence so your CMMC certification effort stays on track.