Headlines & Insights

Achieving Cybersecurity Maturity Model Certification 2.0 (“CMMC”) compliance requires defining which systems, assets, and facilities fall within the assessment boundary. These scoping obligations exist whether an organization conducts a self-assessment or prepares for review by a Certified Third-Party Assessor Organization (“C3PAO”). Scoping requirements vary by level; however, all derive from 32 C.F.R. § 170.19. Contractors performing self-assessments must share these definitions to validate their certification. For organizations preparing for a C3PAO audit, precise scoping avoids the expenditure of time and budget on unnecessary asset reviews.

CMMC Level 1 Scoping:

A contractor seeking only a CMMC Level 1 assessment must identify the information systems that store, process, or transmit Federal Contract Information (“FCI”). The assessment is limited to these assets; however, any assets excluded from the scope should be technically or physically segregated to prevent FCI from migrating to out-of-scope systems. For many organizations, the administrative and technical burden of maintaining such a narrow enclave can exceed the cost of broader “Whole Enterprise” compliance. In addition, including the “Whole Enterprise” within the CMMC Level 1 scope reduces the risk associated with data spillage, though the optimal strategy depends on specific organizational architecture.

CMMC Level 2 Scoping:

The scope for CMMC Level 2 is broader and introduces five distinct asset categories: Controlled Unclassified Information (“CUI”) Assets, Security Protection Assets (“SPAs”), Contractor Risk Managed Assets (“CRMAs”), Specialized Assets, and Out-of-Scope Assets. The assessment requirements for each category are defined in 32 C.F.R. § 170.19(c)(1). Scoping at this level generally allows for a strategic business decision between segmentation and management, as further explained below. Please note, the strategies below primarily address CMMC Level 2.

Option 1: The Segmentation Strategy

This strategy involves isolating Controlled Unclassified Information (“CUI”) to a specific enclave. By physically or logically separating assets (e.g., using firewalls, VLANs, DLP, or air gaps) so they cannot access CUI, those assets become Out-of-Scope and require no assessment. See 32 C.F.R. § 170.19(c)(1). The primary benefit of this approach is the reduction in the number of devices an assessor must review and document. Furthermore, by relying on technical barriers rather than human adherence to policy (like Option 2: The Management Strategy (The “Soft Boundary”)), this strategy reduces the potential legal exposure related to inadvertent CUI leakage. However, the segmentation strategy requires significant upfront IT investment and expertise.

Option 2: The Management Strategy (The “Soft Boundary”)

Alternatively, organizations can utilize the “Contractor Risk Managed Asset” (“CRMA”) designation. This allows assets that are technically capable of accessing CUI, but are not intended to do so, to remain on the general network without technical segmentation, provided they are managed by company policy, procedures, and practices. See 32 C.F.R. § 170.19(c)(1). This approach minimizes operational disruption and upfront investment; however, it shifts the compliance burden from technical safeguards to administrative documentation and company policy. See 32 C.F.R. § 170.19(c)(1).

This Soft Boundary/Management Strategy carries higher potential legal risk. If human error (in violation of company policy) results in CUI spilling onto a CRMA or an out-of-scope asset, it triggers a cascade of legal and contractual obligations, including mandatory reporting, forensic investigations, remediation costs, and potential liability under the False Claims Act.

Generally, contractors with Level 3 aspirations should be cautious of the Management Strategy. 32 C.F.R. § 170.19(d) rescinds the assessment exemption for Contractor Risk Managed Assets. Under Level 3, these assets must satisfy all Level 2 security requirements, turning the “Soft Boundary” into a direct path to audit failure.

How Global Executive Solutions Can Help

Determining the precise assessment scope is a financial calculation as much as a technical one. Over-scoping wastes budget on unnecessary controls and hardware, while under-scoping invites audit failure and potential legal liability.

Global Executive Solutions, LLC (“GES”) assists contractors in navigating these strategic decisions to find the balance between compliance and cost. We provide specialized scoping services for CMMC Level 1 and Level 2 self-assessments, helping you determine whether a “Whole Enterprise”, “Segmentation”, or “Management Strategy/Soft Boundary” approach best fits your operational needs. For organizations targeting CMMC Level 2 or Level 3 certification, we can assist you in preparing your environment for the C3PAO and identifying scope reduction opportunities that remove unnecessary assets from the assessment boundary. This preparation not only reduces the risk of non-compliance and failure, but can significantly accelerate the certification timeline by focusing resources only on the assets that matter.

Contact us today to define a scope that secures your data.