
An Expert’s Guide to CMMC Scoping & Asset Categorization for Level 2 Assessments
Achieving CMMC compliance requires more than just implementing security controls. It requires a clear understanding of what you're protecting and how you’re protecting it. That’s where asset categorization and scoping come in.
Whether you're undergoing a CMMC Level 2 self-assessment or Level 2 certification assessment, correctly identifying and scoping the systems, boundary, people, facilities, and processes that handle Controlled Unclassified Information (CUI) or Security Protection Data (SPD) is a critical first step. It can help avoid unnecessary costs, reduce audit complexity, and ensure the right security protections are in place.
This expert guide walks through everything you need to know to effectively categorize and scope assets for CMMC Level 2 compliance.
What is CMMC scoping?
CMMC scoping is the process of identifying all assets, systems, and vendors within your environment that are in-scope for CMMC compliance and therefore will be assessed against CMMC security requirements. In other words, scoping defines the boundaries of your CMMC assessment. It ensures that only relevant systems and assets are evaluated and protected under the CMMC framework.
The Department of Defense offers scoping guidance for each CMMC level in its resources repository. Here’s a brief overview of each below:
- Level 1 assessments: In-scope assets are any information systems which process, store, or transmit Federal Contract Information (FCI).
- Level 2 assessments: In-scope assets are any assets that process, store, or transmit CUI and assets that provide security protections for these assets. These fall into one of four asset categories defined in 32 CFR § 170.19(c)(1). We’ll provide an overview of each below.
- Level 3 assessments: In-scope assets are any assets that can (whether intended to or not) or do process, store, or transmit CUI, and any that provide security protections for these assets.These fall into one of three asset categories defined in 32 CFR § 170.19(c)(1).
In this article, we’ll focus on CMMC scoping and asset categories for Level 2.
Recommended reading

How to Determine your CMMC Certification Level
What are the CMMC asset categories for Level 2?
32 CFR § 170.19(c)(1) defines five categories that assets can be mapped into for a Level 2 assessment. Each category has different documentation and assessment requirements. We provide an overview of them below.
Asset category | Definition | Documentation requirements | Assessed against all Level 2 requirements | ||
In asset inventory | In SSP | In network diagram | |||
CUI Assets | Assets that process, store, or transmit Controlled Unclassified Information (CUI). | Yes | Yes | Yes | Yes |
---|---|---|---|---|---|
Security Protection Assets (SPAs) | Assets that are essential to protecting CUI assets and the CUI environment. | Yes | Yes | Yes | Depends based on the security functions and capabilities provided and FedRAMP authorization status. |
Contractor Risk Managed Assets (CRMAs) | Assets that can, but are not intended to access CUI or SPD, nor do based on risk-managed policies and controls. | Yes | Yes | Yes | No, if risk-managed and documented appropriately in SSP. |
Specialized Assets | Assets that may handle CUI and are difficult to secure with standard methods. | Yes | Yes | Yes | No, only reviewed in SSP. |
Out-of-Scope Assets | Assets that do not process, store, or protect CUI and do not fall into the above categories. | No | No | No | No, but organizations must be prepared to justify why these assets cannot access or impact CUI or SPD. |
1. CUI Assets
CUI assets, which process, store, or transmit CUI, are the core focus of your CMMC Level 2 implementation. Examples include file servers, user devices accessing CUI, and cloud storage containing CUI.
You must meet a range of documentation requirements for CUI assets, including:
- Documenting each asset in the asset inventory
- Documenting the treatment of these assets in the System Security Plan (SSP)
- Including these assets in the network diagram of the CMMC Assessment Scope
- Within your network diagram all CUI Assets must be labeled accordingly and show which way CUI is flowing in and out of said CUI asset(s).
If these CUI assets belong to an external service provider (ESP), then your organization must meet additional requirements, including:
- Documenting the use of the ESP, its relationship to your organization, and the services provided in the SSP.
- Collecting the ESP’s service description and customer responsibility matrix (CRM), which identifies who is responsible for which security requirement objectives, and documenting those requirements in the SSP as well.
- Ensuring that, if the ESP is a cloud service provider, they are FedRAMP Moderate authorized, equivalent, or higher.
You must be prepared for CUI assets to be assessed against all Level 2 security requirements, meaning all 110 requirements from NIST SP 800-171 Revision 2.
2. Security Protection Assets (SPAs)
Security Protection Assets (SPAs) are assets that secure the controls for CMMC but don’t necessarily touch CUI.
For example, an external service provider that provides a security information and event management (SIEM) service would fall under this category. That’s because, even if the SIEM service was logically separated and did not process CUI, it still contributes to the organizational security capabilities and implementation of meeting the 110 controls of NIST 800-171 Rev. 2 and CMMC requirements. Other examples include cloud-based security solutions, hosted VPN services, co-located data centers, Mobile Device Management (MDM) tools, and security operations centers (SOCs).
Data that is stored or processed by these SPAs is called Security Protection Data (SPD) and also falls into this asset category. Examples of SPD are configuration setting data required implemented from a SPA or passwords that grant access to the in-scope environment.
This asset category has the same requirements as CUI assets — including documenting them in the asset inventory, SSP, and network diagram, and collecting the service description and CRM of any external service providers that handle SPD.
If SPAs are responsible for the controls implementing NIST 800-171, then the organization must also check the vendor’s FedRAMP Moderate authorization status or equivalent. If they are not responsible for any controls but are being used to support the meeting of those controls, then CRMs should be collected at least. Ideally, they are FedRAMP Moderate authorized or equivalent, but that is not a hard requirement if they do not touch CUI.
Also like CUI assets, you should be prepared for SPAs to be assessed against Level 2 security requirements. However, unlike CUI Assets, these will only be assessed against Level 2 security requirements that are relevant to the security functions or capabilities provided.
3. Contractor Risk Managed Assets (CRMAs)
Contractor Risk Managed Assets (CRMAs) are assets that can, but are not intended to, access CUI due to the risk-based security policies, procedures, and practices in place. For example, shared IT resources or devices segmented or specifically not used from the CUI environment fall into this asset category. Examples of CRMAs are shared IT infrastructure, segmented admin systems, and BYOD devices.
This asset category has the same documentation requirements as CUI and SPA assets and you should be prepared to be assessed against all Level 2 security requirements. However, they may not need to be assessed against all requirements if they are properly documented and risk-managed.
The assessor will review the SSP and relevant Customer Responsibility Matrix (CRM) decide:
- If they are sufficiently documented to not assess against other CMMC security requirements, except as noted.
- If they are not sufficiently documented in risk-based security policies, procedures, and practices documentation and the assessor has questions about these assets, then the assessor will conduct a limited check against CMMC security requirements to identify any deficiencies.
4. Specialized Assets
Specialized assets are assets that can (but may not) process, store, or transmit CUI and are difficult to secure using standard methods due to their nature. Examples include:
- Operational Technology (OT) systems such as industrial control systems, building management systems, fire control systems, and physical access control systems
- Internet of Things (IoT) devices such as lighting, heating, ventilation, and air conditioning controls
- Industrial Internet of Things (IIoT) devices such as radio frequency identification tags
- Government-furnished equipment (GFE), i.e. any equipment, material, actual property, or testing/tooling equipment owned or leased by the government
- Restricted information systems such as fielded systems, obsolete systems, and product deliverable replicas that are used to support a government contract
- Test equipment such as power meters, spectrum analyzers, and oscilloscopes
Like the other asset types, these must be documented in the asset inventory, SSP, and network diagram of the CMMC Assessment Scope.
The difference is that in the SSP, you must clearly show how these assets are connected and managed using risk-based security policies, procedures, and practices. The assessor will then review the SSP and data flow diagrams, but not assess this asset category against other CMMC requirements. Not requiring these specialized assets to be assessed against CMMC security requirements saves defense contractors a significant amount of money and time.
5. Out-of-Scope Assets
Out-of-scope assets have no interaction with or security protections for CUI, its CUI environment, and/or SPD and do not fall into any of the asset categories above. Examples include sales tools and marketing systems with no CUI or SPD access.
These assets do not need to be documented, evaluated, or protected under CMMC. However, organizations should be prepared to justify the inability of an out-of-scope asset to store, process, or transmit CUI or SPD due to the boundaries they’ve put in place or by the nature of its functions.

How to categorize and scope assets for CMMC Level 2 assessments
Scoping and categorization is part detective work, part documentation. The goal is to first create a clear picture of where CUI and/or SPD lives, how it moves, and what systems or users interact with it. Then, you can use that picture to assign each asset to a category and determine next steps.
Here’s a more detailed breakdown of each step:
1. Identify how CUI or SPD flows within your organization
Start with a CUI and/or SPD data discovery and mapping process to understand how exactly this information enters and moves within your organization. Ask the following questions:
- What contracts or projects require handling CUI or SPD?
- What type of CUI or SPD do we receive and how is it delivered?
- Where does CUI or SPD get stored?
- Who interacts with it?
- What tools or systems process, transmit, or secure that information?
- Are you or the SPA responsible for the CMMC controls being implemented? If the SPA is, are they FedRAMP Moderate Authorized? Do you have a CRM for them?
- If not, how are you using the SPA? Is it documented within your SSP?
To get answers to these questions, consider a combination of techniques such as:
- Using interviews and questionnaires with department leads.
- Reviewing contract documents for references to CUI or DFARS clauses.
- Analyzing email, cloud storage, and collaboration platform logs.
- Using automated asset discovery and mapping tools.
- Checking the FedRAMP marketplace to ensure vendors are listed there or check their Trust Centers for FedRAMP, CMMC, and/or NIST 800-171 status.
3. Classify each asset according to the five CMMC asset types
Once you’ve mapped out where CUI and SPD is handled, classify each asset. Here’s a key question to ask when identifying each asset category.
Asset type | Key question to ask |
CUI Assets | Does this system directly process, store, or transmit CUI? |
---|---|
Security Protection Assets | Does this system support the security of CUI assets (e.g., a firewall, antivirus, IAM) and/or contain SPD? |
Contractor Risk Managed Assets | Could this system access CUI but is restricted through policies or segmentation? |
Specialized Assets | Is this an atypical device that’s hard to secure or manage (e.g., OT, IoT, GFE)? |
Out-of-Scope Assets | Does this system have no access, connection, or relevance to CUI or SPD in any form? |
Clearly document the classification rationale for each asset, especially for contractor risk managed and specialized assets. Your assessor will expect justification and network diagrams that are labeled accordingly.
3. Consult an expert
At this point, it might be a good idea to consider getting a second opinion on your CMMC assessment boundary from a CMMC Registered Practitioner Organization (RPO), vCISO, or consultant with CMMC experience.
This type of expert can help ensure you’ve correctly identified how CUI and SPD flows in your environment, what categories your assets fall under, and created robust enough documentation to explain all of that to an auditor. All of this must be properly documented to go through an auditor and having this information ready can help reduce scope complexity, simplify compliance, lower costs, and improve your readiness for a formal assessment.
4. Reduce scope with segmentation
To minimize the systems and users that must meet all 110 CMMC Level 2 practices, you can use network segmentation and access controls to:
- Create isolated environments or enclaves for CUI or SPD.
- Restrict access to CUI or SPD to only authorized users.
- Limit connectivity between in-scope and out-of-scope systems.
If segmentation is effectively implemented and enforced, it can reduce audit complexity, cost, and effort.
5. Include any tools that carry CUI or SPD in scope
It’s critical that any tools that carry CUI or SPD are included in your CMMC Assessment Scope. The more tools in scope, the more assets that you have to track, document, and ensure are FedRAMP Moderate authorized or higher, or meet equivalent security requirements.
There are strategies you can use to reduce scope and the overhead of compliance, like only using FedRAMP authorized companies in the FedRAMP marketplace (approximately 400 to date). You can also visit their Trust Center, if they have one, to see their FedRAMP status and other security certifications.
Creating a segmented CMMC enclave is another way to reduce the scope of third-party tools as well. An enclave is a controlled, logically or physically isolated segment of the IT environment where CUI is stored or processed. By creating a well-segmented enclave, you significantly reduce the number of in-scope assets and only have to apply CMMC controls to this segment, not your entire network.
6. Define and document the CMMC assessment boundary
Document all assets that fall within your CMMC assessment boundary. This boundary includes:
- All CUI assets
- All security protection assets (SPAs)
- Any contractor risk managed assets that could impact CUI
- Any specialized assets that could impact CUI
- A justification for excluding out-of-scope systems
This boundary should be clearly defined in your SSP and reflected in your network diagrams, asset inventory, and data flow maps.
7. Continuously monitor and update the scope
Scoping isn’t a one-time exercise. You need to reassess scope when:
- You take on a new contract that involves CUI or SPD.
- You add or retire systems.
- There’s an organizational change or acquisition.
- New CUI or SPD flows, processes, or integrations are introduced.
Establish a change management process that includes scoping considerations to ensure continued alignment with your CMMC obligations.
Recommended reading

How to Achieve CMMC Certification: Navigating Compliance from Start to Finish
Common mistakes to avoid with CMMC scoping
Even well-intentioned organizations make avoidable errors during scoping and categorization. Here are the most common, plus tips for how to avoid them.
Mistake | Description | Impact | How to avoid |
---|---|---|---|
Over-scoping the environment | Including every system, user, and device in your environment — even those that don’t interact with CUI. | Increased compliance burden and cost unnecessarily. | Carefully trace CUI and SPD flows and limit in-scope assets to only those with a clear and documented connection to CUI and SPD. |
Under-scoping or misclassifying assets | Excluding systems that should be in-scope (e.g., a shared server that temporarily stores CUI). | Major audit findings, failed assessments, and unaddressed risks to CUI. | Perform thorough asset discovery, validating assumptions with technical teams, and apply conservative classifications when unsure. |
Poor or missing documentation | Not providing enough detail to justify asset categorizations, especially for contractor risk managed and specialized assets. | The assessor may reject your boundary definition, causing a delay in certification. | Thoroughly document categorization decisions in the SSP and keep an auditable trail of asset management, network diagrams, and segmentation strategies. |
Treating specialized assets as out-of-scope without risk justification | Excluding specialized assets like OT or IoT systems without explaining how they are isolated or pose low risk to CUI. | The assessor may flag the system as in-scope due to insufficient risk treatment, which may cause a delay in certification. | Identify specialized assets, detail why standard controls aren’t feasible, and implement alternative safeguards or isolation techniques. |
Failing to regularly assess scope | Scoping once and never revisiting, even after major changes like new contracts or system deployments. | You may be out of compliance without realizing it due to outdated and inaccurate assessment scope. | Include scope review as part of your change management and continuous monitoring practices. |
Using cloud services without FedRAMP Moderate Authorization | Failing to verify the FedRAMP authorization status of cloud service providers that store, process, or transmit CUI or SPD on your behalf. | You can’t move beyond the first phase of your CMMC assessment without this verification for CUI assets and/or SPAs that are responsible for control implementations within the scope of your audit. | Validate a vendor’s FedRAMP authorization status through the FedRAMP Marketplace and/or their Trust Center. |
1. Over-scoping the environment
One of the most common mistakes is including every system, user, or device in the CMMC assessment boundary, regardless of whether they interact with CUI or SPD. This over-cautious approach can dramatically increase your compliance burden, requiring unnecessary controls across systems that don’t actually impact CUI or SPD.
While it’s important to be thorough, over-scoping can lead to wasted time, resources, and audit preparation efforts. Instead, focus on mapping CUI and SPD flows accurately and limiting your scope to systems and users with a justifiable connection to that data.
2. Under-scoping or misclassifying assets
On the flip side, some organizations make the mistake of excluding assets that should be in scope, often due to misunderstandings about how CUI or SPD moves through their environment. For example, a shared file server or collaboration tool might only temporarily store CUI or SPD, but that’s enough to bring it into scope.
Misclassifying or overlooking assets can lead to major gaps and noncompliance during a Level 2 assessment. The best way to avoid this is by conducting thorough data mapping, validating assumptions with your technical teams, and erring on the side of caution when asset roles are unclear.
3. Poor or missing documentation
Even if you categorize assets correctly, insufficient documentation can raise red flags during an assessment. Assessors need to see clear justifications for each classification, particularly for contractor risk managed and specialized assets. If you can’t show how a system is segmented, restricted, or governed by policy, it may be treated as in-scope by default.
To avoid surprises, document your asset categorizations, the FedRAMP authorization status of your assets, and boundary definitions thoroughly within your SSP, network diagrams, and asset inventories.
4. Treating specialized assets as out-of-scope without risk justification
Organizations often assume that OT, IoT devices, or GFE assets are automatically out-of-scope. But assessors require justification for excluding these specialized assets, especially if they’re on the same network or have potential access to CUI systems.
Simply labeling something “specialized” doesn’t exempt it. You must show how the risk is mitigated, whether through segmentation, limited access, or compensating controls. Be ready to explain why these assets are difficult to secure and what you're doing to address the associated risks.
5. Failing to maintain scope over time
Another frequent issue is treating scoping as a one-time task rather than an ongoing process. When organizations adopt new systems, expand to new environments, or take on new contracts involving CUI or SPD, they often forget to revisit and update their CMMC boundary. This can leave previously out-of-scope systems exposed or introduce compliance gaps that go unnoticed until an assessment.
To avoid this, integrate scope reviews into your change management and continuous monitoring processes, ensuring your CMMC program stays aligned with your operational reality.
6. Using cloud services without FedRAMP Moderate Authorization
For CMMC Level 2, any external cloud provider that stores, processes, or transmits CUI and/or is responsible for the control implementations related to SPD on your behalf must have a current FedRAMP Moderate authorization, higher, or equivalent. Failing to verify this authorization status, particularly when it comes to popular commercial cloud services, is a common mistake that organizations make.
If this verification is missing, your organization cannot progress beyond phase 1 of the CMMC assessment. So it’s essential that you validate a vendor’s FedRAMP authorization status through the FedRAMP Marketplace or in the vendor’s Trust Center, if they have one, before including them in your in-scope environment.

CMMC Compliance Kit
Navigating the complexities of CMMC requirements is a daunting task, especially with the recent updates to the framework. This free CMMC kit can help simplify your readiness work with templates and checklists from our team of in-house federal compliance experts.
Let Secureframe simplify the CMMC Level 2 scoping process
Secureframe’s cutting-edge automation and in-house team of compliance experts and former CMMC, FISMA, and FedRAMP auditors can help you automate asset discovery, prepare for a CMMC audit, and categorize systems with ease. Secureframe can:
- Integrate with your existing infrastructure to identify in-scope assets.
- Generate a System Security Plan (SSP) to help define and document CMMC assets and control implementations
- Help you define and document your CMMC boundary.
- Align each asset with the required CMMC practices.
- Track changes in your environment to ensure ongoing CMMC compliance.
- Generate, track, and maintain Plan of Action & Milestones (POAM)
Whether you're preparing for a Level 2 self-assessment or an official C3PAO audit, we simplify the scoping process so you can focus on building a secure and compliant operation. Learn more by requesting a demo.
Use trust to accelerate growth
FAQs
What is a CUI asset?
CUI assets are assets that process, store, or transmit CUI. More specifically, this includes:
- Assets that can use CUI, including accessing, entering, editing, generating, manipulating, or printing CUI. This is what is meant by “process.”
- Assets where CUI is inactive or at rest. This includes CUI located on electronic media, in system component memory, or in physical format such as paper documents. This is what is meant by “store.”
- Assets from which CUI is transferred to or from another asset, such as data in transit using physical or digital transport methods. This is what is meant by “transmit.”
What is Security Protection Data?
Security Protection Data (SPD) is data that is created, stored, or used by a Security Protection Asset (SPA). This data is security-relevant and could aid an attacker in compromising the system if disclosed. Examples of SPD include but are not limited to:
- Log or configuration data of an SPA
- Data related to the configuration or vulnerability status of in-scope assets
- Passwords that grant access to the in-scope environment
What types of assets are in-scope for a CMMC Level 2 assessment?
The following asset categories are part of the Level 2 CMMC Assessment scope:
- CUI Assets
- Security Protection Assets
- Contractor Risk Managed Assets
- Specialized Assets
What are the requirements for defining your CMMC assessment scope?
There are three key requirements for defining the CMMC assessment scope:
- Create an asset inventory of all in-scope assets.
- Document all in-scope assets in a systems security plan (SSP) and detailing how these are being protected using NIST 800-171 controls or other risk-based policies, procedures, and practices.
- Provide a network diagram of the assessment scope, accurately including and categorizing all in-scope assets.