Skip to content

CMMC readiness

CUI Scoping: Drawing the Boundary That Shrinks Your CMMC Assessment

The single biggest lever on the cost and difficulty of a CMMC Level 2 assessment is not a control — it is where you draw the CUI boundary. Here are the five asset categories, the enclave strategy, and the discipline that keeps a tight scope honest.

Request proof sample

Before a contractor spends a dollar closing a control gap, there is a more consequential decision to make, and most teams make it by accident. The scope of your CMMC Level 2 assessment — how many systems, users, and objectives an assessor has to examine — is set by where Controlled Unclassified Information is allowed to live in your environment. Draw that boundary tightly and deliberately, and the entire program shrinks. Let CUI sprawl across the whole company, and you have signed up to protect and prove far more than you needed to. Scoping is the highest-leverage move in CMMC readiness, and it comes first.

What CUI actually is

Controlled Unclassified Information is a defined category, not a vibe. It originates in Executive Order 13556, is governed by 32 CFR Part 2002, and is cataloged in the National Archives' CUI Registry, which lists the specific information types and their handling requirements. On the defense side, DFARS 252.204-7012 obligates you to protect "covered defense information," a set that includes CUI. The scoping question follows directly from the definition: which of your assets process, store, or transmit CUI? Everything else in your scope determination is downstream of answering that precisely, and the honest answer is often narrower than the reflexive one — not every system that touches a contract touches CUI.

Why scope is the biggest lever on cost

The mechanism is simple. A Level 2 assessment evaluates the assets inside your CUI boundary against the 320 assessment objectives of NIST SP 800-171A. Every additional asset in scope multiplies the evidence you must produce, the configurations you must harden, and the objectives an assessor must verify. Shrinking the number of in-scope assets is therefore the most direct way to reduce the size, duration, and cost of the assessment — and of the remediation program that precedes it. This is why experienced contractors treat scope reduction as the first project, not an afterthought.

The five asset categories

The CMMC Level 2 Scoping Guide sorts every asset in your environment into one of five categories, and knowing which is which is the core of the exercise.

CUI Assets process, store, or transmit CUI. They are fully in scope and are assessed against the applicable requirements — this is the heart of your environment.

Security Protection Assets provide a security function to the CUI environment even if they never touch CUI themselves: your identity provider, firewalls, SIEM, endpoint protection, and similar tooling. They are in scope for the requirements relevant to the protection they provide.

Contractor Risk Managed Assets are capable of handling CUI but are not intended to, and are governed by policy and practice to keep them from doing so. They carry a lighter assessment burden, provided your documented risk management is real.

Specialized Assets include categories like operational technology and IoT devices, government-furnished equipment, test equipment, and restricted information systems. They are documented and managed by risk rather than assessed against the full requirement set.

Out-of-Scope Assets cannot process, store, or transmit CUI and are separated — logically or physically — from the CUI environment. They are not assessed at all. Moving assets legitimately into this category is exactly how you shrink the boundary.

The enclave strategy

The most effective way to keep the CUI boundary small is to stop CUI from spreading in the first place. That means building a dedicated enclave — a segmented environment, whether an on-premises network segment or a government-community cloud tenancy, where CUI is deliberately concentrated — and keeping the rest of the business outside it. When CUI lives in a defined enclave, the enclave and its Security Protection Assets are in scope and the sprawling remainder of your corporate IT is not. The alternative, where CUI is scattered across general-purpose email, file shares, and laptops company-wide, effectively pulls your entire estate into scope and turns a focused assessment into an enterprise-wide one.

An enclave only works with data-flow discipline behind it. You have to know where CUI enters the organization, where it comes to rest, and where it leaves, and you need the technical and policy controls that keep it from leaking back out into out-of-scope systems. Mapping those flows is the unglamorous work that makes a tight boundary defensible.

The discipline that keeps a tight scope honest

Aggressive scoping is legitimate and even encouraged — the program is explicitly designed to let you reduce your footprint. But there is a hard line between a small boundary and a fictional one. An assessor does not just read your boundary description; they test whether CUI actually stays inside it. If you have drawn a tight enclave on paper while CUI is in practice flowing through general email or unmanaged endpoints, the scope determination collapses and the assessment fails on contact with reality. The boundary you document in your System Security Plan has to be the boundary that exists, which is why scoping and the evidence package are two halves of the same job (see the companion post on what a C3PAO assessment requires). Scope reduction is a design problem to solve with real segmentation, not a wording problem to solve with careful phrasing.

Where Valty fits, honestly

Valty is not a C3PAO and does not make or bless your scope determination — that is your responsibility and, ultimately, the assessor's to verify. What the platform does is support the work: helping inventory and classify assets into the five scoping categories, tracking the CUI boundary and the data flows that define it, and keeping the boundary described in your System Security Plan consistent with the environment you actually run, so a scoping decision made early does not silently drift out of truth before assessment. It is readiness and decision-support, not authorization. For the full mandate context and next steps, see the CMMC overview and the federal and regulatory capability page.

Back to blogView proof surface