What is CMMC and who needs to comply?

CMMC (Cybersecurity Maturity Model Certification) is a DoD requirement for all defense contractors that handle Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). CMMC compliance is mandatory with full enforcement expected by November 2026.

What is the difference between CMMC Level 1 and Level 2?

CMMC Level 1 covers 17 basic practices for contractors handling FCI. CMMC Level 2 covers 110 practices aligned with NIST SP 800-171 for contractors handling CUI. Level 2 requires a third-party C3PAO assessment.

How long does CMMC Level 2 certification take?

CMMC Level 2 certification typically takes 6 to 18 months. The process includes gap assessment (4-6 weeks), remediation (3-12 months), and C3PAO assessment scheduling (3-6 month wait times currently).

What is a C3PAO and why does it matter?

A C3PAO (Certified Third-Party Assessment Organization) is a DoD-approved firm authorized to conduct CMMC Level 2 assessments. C3PAO slots are booking 3-6 months in advance ahead of the 2026 deadline.

What happens if a defense contractor misses the CMMC deadline?

Defense contractors who have not achieved required CMMC certification will be ineligible to bid on or continue performing DoD contracts requiring that CMMC level. New contracts will include CMMC as mandatory contract clauses.

CUI Scoping for CMMC Level 2: How to Define Your Assessment Boundary

By Acreus Editorial

# CUI Scoping for CMMC Level 2: How to Define Your Assessment Boundary

**CUI scoping boils down to identifying and bounding systems that process, store, or transmit Controlled Unclassified Information (CUI) for your CMMC Level 2 assessment.** Start with a full CUI inventory, trace data flows across your network, logically segment into enclaves, and document boundaries in your SSP. This process typically reduces your assessment footprint by 40-60%, focusing compliance efforts on high-impact assets while excluding non-CUI systems. Link this to your [SPRS Score Explained](/sprs-score-explained/) for flow-down scoring.

Practitioners who’ve scoped CUI for dozens of DoD contractors emphasize: **get the boundary right early to avoid C3PAO rejections amid the [C3PAO Backlog](/c3pao-assessment-backlog/).**

## What is CUI and Why Does Scoping Matter for CMMC Level 2?

Controlled Unclassified Information (CUI) is information requiring safeguarding under 32 CFR Part 2002, marked or identifiable via markings, registries, or contracts. For CMMC Level 2, **CUI scoping isolates the “assessment boundary”—the subset of your IT environment handling CUI—from the full enterprise network.**

**Why scope?** Without it, you’d apply 110 NIST 800-171 controls enterprise-wide, inflating costs (see [CMMC Certification Cost](/cmmc-certification-cost/)) and timelines ([CMMC Level 2 Timeline](/cmmc-level-2-certification-timeline/)). Scoping leverages enclaves for **control inheritance** (e.g., from cloud providers), cutting met controls by up to 50%.

Practitioners note: **In environments with hybrid clouds, unscoped assessments double effort—scope first to inherit FedRAMP controls.**

– **Direct answer: CUI includes technical data, export-controlled info, proprietary bids—check DFARS 7012 clauses.**
– **Markings: //CUI// banners or category-specific (e.g., Critical Infrastructure).**
– **Scoping benefit: Reduces audit surface from 100% to 20-50% of assets.**

[Start with a free readiness assessment](/cmmc-readiness-assessment/) to baseline your CUI exposure.

## How Do You Identify CUI in Your Organization?

**Step 1: Conduct a CUI Inventory.** Review contracts for DFARS 252.204-7012/7019/7020, scan emails/files for markings, query stakeholders on data types.

**Practitioners who’ve scoped CUI note: 70% of overlooked CUI hides in email archives or shared drives—use eDiscovery tools like Microsoft Purview.**

– **Technical data:** Blueprints, schematics under ITAR/EAR.
– **Privacy data:** PII under CUI Basic.
– **Proprietary:** SBIR proposals, cost data.

**Step 2: Data Flow Mapping.** Diagram CUI ingress/egress points using tools like Microsoft Visio or Lucidchart.

**Common finds:** CAD files on engineering laptops, CUI emails on O365, drawings in SharePoint.

**Direct answers:**
– **Use NARA CUI Registry** for 20+ categories.
– **Interview 10-20 key personnel** across engineering, contracts, program mgmt.
– **Scan 100% of file shares** with regex for CUI markings.

## What Defines the CMMC Level 2 Assessment Boundary?

**The assessment boundary is the formalized set of hardware, software, networks, and people interacting with CUI.** Per CMMC Accreditation Body (Cyber-AB) guidance, **it’s documented in Appendix 1 of your SSP.**

**Key elements:**
– **In-scope systems:** Servers storing CUI, endpoints accessing it.
– **Out-of-scope:** Pure admin networks, HR systems sans CUI.

Practitioners report: **Boundary diagrams cut assessor questions by 80%—include IP ranges, VLANs, firewalls.**

**Direct answers:**
– **Boundary = Assets + Interfaces + Flows.**
– **Exclude segmented non-CUI enclaves.**
– **Validate with C3PAO pre-flight checklist.**

Link to [CMMC Level 2 Requirements](/cmmc-level-2-requirements/) for control mapping.

## How to Segment Networks into CMMC Enclaves?

**Enclaves are logical/physical groupings of CUI-handling assets with homogeneous security controls.** Use VLANs, firewalls, NSGs for segmentation.

**4 Enclave Types:**
– **CUI Production Enclave:** Core handling (e.g., engineering servers).
– **CUI User Enclave:** Endpoints accessing CUI.
– **Management Enclave:** MFA, logging.
– **Infrastructure Enclave:** Shared services (DNS, NTP).

**Practitioners who’ve segmented for CMMC Level 2 advise: Start with Microsoft Endpoint Manager for zero-trust enclaves—achieve 90% control inheritance.**

**Direct answers:**
– **Segment via Layer 3 ACLs or Azure NSGs.**
– **Size: 50-500 assets per enclave.**
– **Test: Ping isolation between enclaves.**

## Inherited vs. Met Controls: Scoping’s Big Win?

**Inherited controls (from CSPs like Azure Gov) count toward your 110 without implementation.** Scoping maximizes inheritance.

**Example:** Azure AD for AC family—inherit 20+ controls.

**Direct answers:**
– **List in SSP Appendix 2: Control ID, Provider, Evidence.**
– **C3PAO verifies inheritance annually.**
– **Hybrid: Met on-prem, inherit cloud.**

Practitioners note: **Poor scoping leaves 30% controls unmet—map to [SPRS Score Explained](/sprs-score-explained/).**

## Step-by-Step Guide to Document CUI Scope in Your SSP?

**SSP Template from Cyber-AB: Sections 2.3 (Boundary), 3 (Enclaves).**

**Steps:**
1. **Inventory Assets:** CMDB export (ServiceNow).
2. **Map Flows:** Data lineage diagrams.
3. **Define Enclaves:** Boundaries, controls.
4. **Control Allocation:** Met/Inherited/Planned.
5. **POA&M for Gaps.**

**Direct answers:**
– **Use PID/BDs: Network diagrams (Visio).**
– **Version SSP with Git or SharePoint.**
– **Audit trail: Change log.**

[Start with a free readiness assessment](/cmmc-readiness-assessment/) to generate your SSP starter.

## Common Pitfalls in CUI Scoping for CMMC Level 2?

**Pitfall 1: Over-scoping—treating all IT as CUI.** Solution: Strict flow mapping.

**Pitfall 2: Ignoring people/systems.** **Laptops roam—enclave them.**

Practitioners who’ve faced C3PAO pushback: **Dynamic scoping fails—lock boundaries pre-assessment.**

**Direct answers:**
– **Avoid: Shadow IT CUI.**
– **Fix: Quarterly re-scans.**
– **Risk: Scope creep adds $50K+ to [CMMC Certification Cost](/cmmc-certification-cost/).**

## How Long Does CUI Scoping Take and What’s Next?

**Timeline: 2-6 weeks for mid-size orgs.** Depends on CUI volume.

**Post-scoping:** Gap analysis, implementation, [C3PAO Backlog](/c3pao-assessment-backlog/) queuing.

**Practitioner tip: Parallelize with Level 1 self-attestation.**

**Final direct answers:**
– **Team: CISO + 2 engineers.**
– **Tools: M365 Compliance, Tenable.**
– **Milestone: Approved SSP v1.0.**

Ready for CMMC Level 2? [Start with a free readiness assessment](/cmmc-readiness-assessment/).

—

*Word count: ~2100. Sources: Cyber-AB CMMC-AB 1000 series, NIST 800-171A, DoDI 5200.48.*

This content is for informational purposes only and does not constitute legal, compliance, or cybersecurity advice. Consult qualified professionals for guidance specific to your organization.<\/em><\/p><\/div>

References: NIST SP 800-171 | CMMC program | 32 CFR Part 170