HomeGuides › CMMC Asset Scoping

CMMC Asset Scoping: What's In Scope for Level 2 (and What's Not)

Scope decides 60–70% of your assessment effort. Get the boundary right and CMMC shrinks to something a small team can actually do.

Before you implement a single control, you have to answer one question: what's in scope? Scoping is the highest-leverage decision in your whole CMMC effort — draw the boundary too wide and you're securing your entire company; draw it right and you're securing a small, defined slice. This guide explains the five asset categories and how to shrink your scope honestly.

The core principle

CMMC Level 2 protects Controlled Unclassified Information (CUI). The requirements apply wherever CUI is processed, stored, or transmitted — and to the systems that protect those places. Anything that genuinely can't touch CUI, and is separated from the things that do, falls outside the assessment. So the game is simple: contain CUI to as small a footprint as you can, then prove the boundary.

The five asset categories

The official CMMC Level 2 Scoping Guide sorts every asset in your environment into one of five buckets:

CategoryWhat it isHow it's assessed
CUI AssetsProcess, store, or transmit CUI — file servers, the laptops people use to open CUI, the cloud tenant holding it.Assessed against all applicable Level 2 requirements. The core of your scope.
Security Protection Assets (SPA)Provide a security function that protects CUI — firewalls, SIEM, EDR, your MFA/identity provider, the enclave's security tooling.Assessed against the requirements relevant to the protection they provide.
Contractor Risk Managed Assets (CRMA)Could physically access CUI but aren't intended to, and you choose to manage them with your own risk-based policy rather than full controls.Not assessed against CMMC practices — but documented, and the assessor may check your risk policy and that they're actually managed.
Specialized AssetsGovernment-furnished equipment, IoT/OT, restricted information systems, test equipment.Documented in the SSP and network diagram; managed via risk-based policy; limited assessment.
Out-of-Scope AssetsCannot process, store, or transmit CUI and are physically or logically separated from the CUI environment.Not assessed at all.
The two categories that save small contractors the most pain are CRMA and Out-of-Scope. The more of your environment you can legitimately move into those buckets — through separation — the smaller and cheaper your assessment becomes.

The enclave strategy (why most small shops use it)

Here's the move that makes CMMC affordable for a small business: instead of securing your whole company network, you stand up a dedicated enclave — a walled-off environment (often a Microsoft 365 GCC High tenant, or Azure Government / AWS GovCloud) — and keep all CUI inside it. Now your "CUI Assets" are just the enclave, your "SPAs" are its security tooling, and your regular corporate network can be largely out of scope because CUI never lives there.

This is why you'll hear "enclave" constantly. A passing enclave isn't a compromise — it's the smart way to keep the 110 requirements from swallowing your entire business.

"Which controls are N/A on my current network?"

This is the question every small contractor asks, and the answer follows directly from scoping: requirements apply where CUI is — not where it isn't. If CUI lives only in your GCC High enclave, then the 110 requirements apply to that enclave (and its SPAs). Your general corporate network, if it's properly separated and never touches CUI, isn't assessed against those controls.

A common worked example: CUI accessed through VDIs (virtual desktops) in GCC High. If users reach CUI only inside a virtual desktop in the enclave, and the enclave is configured so CUI can't leave it — no copy/paste out, no downloads to the local device, no screen-scraping path — then the endpoints people use to connect can often be treated as CRMA (or even out-of-scope), because they can't actually store or process the CUI themselves. The controls land on the enclave and the VDI, not on every laptop in the building.

The catch: "can't leave it" has to be real and enforced, not aspirational. If a user can copy CUI down to their laptop, that laptop becomes a CUI Asset and gets pulled fully into scope. Your scoping decision is only as good as the separation you can actually demonstrate to an assessor.

How to scope, step by step

  1. Find your CUI. Identify every place CUI enters, lives, and moves — contracts, email, file shares, the enclave. You can't scope what you haven't located.
  2. Decide on an enclave. For most small contractors, containing CUI to a dedicated enclave is the cheapest path. Everything else flows from this.
  3. Categorize every asset into the five buckets above. Be honest — wishful categorization gets caught at assessment.
  4. Prove the separation. Document how out-of-scope and CRMA assets are kept away from CUI (network segmentation, conditional access, DLP, no-download policies).
  5. Write it into your SSP with a network/data-flow diagram. The boundary and asset inventory are core SSP content — an assessor reads them first.

Know your number before you scope deeper

Once you've drawn your boundary, score the controls that apply to it. Our free calculator runs all 110 in about 10 minutes.

Calculate your SPRS score →

Start here

Scoping first, controls second — that order saves the most time and money. Define your boundary, contain CUI to an enclave, categorize honestly, then score what's in scope and document it in your SSP. Both tools are free and run in your browser.