1. CUI Assets

CUI assets, which process, store, or transmit CUI, are the core focus of your CMMC Level 2 implementation. Examples include file servers, user devices accessing CUI, and cloud storage containing CUI. 

You must meet a range of documentation requirements for CUI assets, including:

• Documenting each asset in the asset inventory
• Documenting the treatment of these assets in the System Security Plan (SSP)
• Including these assets in the network diagram of the CMMC Assessment Scope
• Within your network diagram all CUI Assets must be labeled accordingly and show which way CUI is flowing in and out of said CUI asset(s).

If these CUI assets belong to an external service provider (ESP), then your organization must meet additional requirements, including:

• Documenting the use of the ESP, its relationship to your organization, and the services provided in the SSP.
• Collecting the ESP’s service description and customer responsibility matrix (CRM), which identifies who is responsible for which security requirement objectives, and documenting those requirements in the SSP as well.
• Ensuring that, if the ESP is a cloud service provider, they are FedRAMP Moderate authorized, equivalent, or higher.

You must be prepared for CUI assets to be assessed against all Level 2 security requirements, meaning all 110 requirements from NIST SP 800-171 Revision 2. 

2. Security Protection Assets (SPAs)

Security Protection Assets (SPAs) are assets that secure the controls for CMMC but don’t necessarily touch CUI.

For example, an external service provider that provides a security information and event management (SIEM) service would fall under this category. That’s because, even if the SIEM service was logically separated and did not process CUI, it still contributes to the organizational security capabilities and implementation of meeting the 110 controls of NIST 800-171 Rev. 2 and CMMC requirements. Other examples include cloud-based security solutions, hosted VPN services, co-located data centers, Mobile Device Management (MDM) tools, and security operations centers (SOCs).

Data that is stored or processed by these SPAs is called Security Protection Data (SPD) and also falls into this asset category. Examples of SPD are configuration setting data required implemented from a SPA or passwords that grant access to the in-scope environment.

This asset category has the same requirements as CUI assets — including documenting them in the asset inventory, SSP, and network diagram, and collecting the service description and CRM of any external service providers that handle SPD. 

If SPAs are responsible for the controls implementing NIST 800-171, then the organization must also check the vendor’s FedRAMP Moderate authorization status or equivalent. If they are not responsible for any controls but are being used to support the meeting of those controls, then CRMs should be collected at least. Ideally, they are FedRAMP Moderate authorized or equivalent, but that is not a hard requirement if they do not touch CUI.

Also like CUI assets, you should be prepared for SPAs to be assessed against Level 2 security requirements. However, unlike CUI Assets, these will only be assessed against Level 2 security requirements that are relevant to the security functions or capabilities provided. 

3. Contractor Risk Managed Assets (CRMAs)

Contractor Risk Managed Assets (CRMAs) are assets that can, but are not intended to, access CUI due to the risk-based security policies, procedures, and practices in place. For example, shared IT resources or devices segmented or specifically not used from the CUI environment fall into this asset category. Examples of CRMAs are shared IT infrastructure, segmented admin systems, and BYOD devices.

This asset category has the same documentation requirements as CUI and SPA assets and you should be prepared to be assessed against all Level 2 security requirements. However, they may not need to be assessed against all requirements if they are properly documented and risk-managed. 

The assessor will review the SSP and relevant Customer Responsibility Matrix (CRM) decide:

• If they are sufficiently documented to not assess against other CMMC security requirements, except as noted.
• If they are not sufficiently documented in risk-based security policies, procedures, and practices documentation and the assessor has questions about these assets, then the assessor will conduct a limited check against CMMC security requirements to identify any deficiencies. 

4. Specialized Assets

Specialized assets are assets that can (but may not) process, store, or transmit CUI and are difficult to secure using standard methods due to their nature. Examples include:

• Operational Technology (OT) systems such as industrial control systems, building management systems, fire control systems, and physical access control systems
• Internet of Things (IoT) devices such as lighting, heating, ventilation, and air conditioning controls
• Industrial Internet of Things (IIoT) devices such as radio frequency identification tags
• Government-furnished equipment (GFE), i.e. any equipment, material, actual property, or testing/tooling equipment owned or leased by the government
• Restricted information systems such as fielded systems, obsolete systems, and product deliverable replicas that are used to support a government contract
• Test equipment such as power meters, spectrum analyzers, and oscilloscopes

Like the other asset types, these must be documented in the asset inventory, SSP, and network diagram of the CMMC Assessment Scope. 

The difference is that in the SSP, you must clearly show how these assets are connected and managed using risk-based security policies, procedures, and practices. The assessor will then review the SSP and data flow diagrams, but not assess this asset category against other CMMC requirements. Not requiring these specialized assets to be assessed against CMMC security requirements saves defense contractors a significant amount of money and time. 

5. Out-of-Scope Assets

Out-of-scope assets have no interaction with or security protections for CUI, its CUI environment, and/or SPD and do not fall into any of the asset categories above. Examples include sales tools and marketing systems with no CUI or SPD access.

These assets do not need to be documented, evaluated, or protected under CMMC. However, organizations should be prepared to justify the inability of an out-of-scope asset to store, process, or transmit CUI or SPD due to the boundaries they’ve put in place or by the nature of its functions.

Clearly document the classification rationale for each asset, especially for contractor risk managed and specialized assets. Your assessor will expect justification and network diagrams that are labeled accordingly.

3. Consult an expert

At this point, it might be a good idea to consider getting a second opinion on your CMMC assessment boundary from a CMMC Registered Practitioner Organization (RPO), vCISO, or consultant with CMMC experience. 

This type of expert can help ensure you’ve correctly identified how CUI and SPD flows in your environment, what categories your assets fall under, and created robust enough documentation to explain all of that to an auditor. All of this must be properly documented to go through an auditor and having this information ready can help reduce scope complexity, simplify compliance, lower costs, and improve your readiness for a formal assessment. 

4. Reduce scope with segmentation

To minimize the systems and users that must meet all 110 CMMC Level 2 practices, you can use network segmentation and access controls to:

• Create isolated environments or enclaves for CUI or SPD.
• Restrict access to CUI or SPD to only authorized users.
• Limit connectivity between in-scope and out-of-scope systems.

If segmentation is effectively implemented and enforced, it can reduce audit complexity, cost, and effort.

5. Include any tools that carry CUI or SPD in scope 

It’s critical that any tools that carry CUI or SPD are included in your CMMC Assessment Scope. The more tools in scope, the more assets that you have to track, document, and ensure are FedRAMP Moderate authorized or higher, or meet equivalent security requirements. 

There are strategies you can use to reduce scope and the overhead of compliance, like only using FedRAMP authorized companies in the FedRAMP marketplace (approximately 400 to date). You can also visit their Trust Center, if they have one, to see their FedRAMP status and other security certifications. 

Creating a segmented CMMC enclave is another way to reduce the scope of third-party tools as well.  An enclave is a controlled, logically or physically isolated segment of the IT environment where CUI is stored or processed. By creating a well-segmented enclave, you significantly reduce the number of in-scope assets and only have to apply CMMC controls to this segment, not your entire network.

6. Define and document the CMMC assessment boundary

Document all assets that fall within your CMMC assessment boundary. This boundary includes:

• All CUI assets
• All security protection assets (SPAs)
• Any contractor risk managed assets that could impact CUI
• Any specialized assets that could impact CUI
• A justification for excluding out-of-scope systems

This boundary should be clearly defined in your SSP and reflected in your network diagrams, asset inventory, and data flow maps.

7. Continuously monitor and update the scope

Scoping isn’t a one-time exercise. You need to reassess scope when:

• You take on a new contract that involves CUI or SPD.
• You add or retire systems.
• There’s an organizational change or acquisition.
• New CUI or SPD flows, processes, or integrations are introduced.

Establish a change management process that includes scoping considerations to ensure continued alignment with your CMMC obligations.

1. Over-scoping the environment

One of the most common mistakes is including every system, user, or device in the CMMC assessment boundary, regardless of whether they interact with CUI or SPD. This over-cautious approach can dramatically increase your compliance burden, requiring unnecessary controls across systems that don’t actually impact CUI or SPD. 

While it’s important to be thorough, over-scoping can lead to wasted time, resources, and audit preparation efforts. Instead, focus on mapping CUI and SPD flows accurately and limiting your scope to systems and users with a justifiable connection to that data. 

2. Under-scoping or misclassifying assets

On the flip side, some organizations make the mistake of excluding assets that should be in scope, often due to misunderstandings about how CUI or SPD moves through their environment. For example, a shared file server or collaboration tool might only temporarily store CUI or SPD, but that’s enough to bring it into scope. 

Misclassifying or overlooking assets can lead to major gaps and noncompliance during a Level 2 assessment. The best way to avoid this is by conducting thorough data mapping, validating assumptions with your technical teams, and erring on the side of caution when asset roles are unclear.

3. Poor or missing documentation

Even if you categorize assets correctly, insufficient documentation can raise red flags during an assessment. Assessors need to see clear justifications for each classification, particularly for contractor risk managed and specialized assets. If you can’t show how a system is segmented, restricted, or governed by policy, it may be treated as in-scope by default. 

To avoid surprises, document your asset categorizations, the FedRAMP authorization status of your assets, and boundary definitions thoroughly within your SSP, network diagrams, and asset inventories.

4. Treating specialized assets as out-of-scope without risk justification

Organizations often assume that OT, IoT devices, or GFE assets are automatically out-of-scope. But assessors require justification for excluding these specialized assets, especially if they’re on the same network or have potential access to CUI systems. 

Simply labeling something “specialized” doesn’t exempt it. You must show how the risk is mitigated, whether through segmentation, limited access, or compensating controls. Be ready to explain why these assets are difficult to secure and what you're doing to address the associated risks.

5. Failing to maintain scope over time

Another frequent issue is treating scoping as a one-time task rather than an ongoing process. When organizations adopt new systems, expand to new environments, or take on new contracts involving CUI or SPD, they often forget to revisit and update their CMMC boundary. This can leave previously out-of-scope systems exposed or introduce compliance gaps that go unnoticed until an assessment. 

To avoid this, integrate scope reviews into your change management and continuous monitoring processes, ensuring your CMMC program stays aligned with your operational reality.

6. Using cloud services without FedRAMP Moderate Authorization

For CMMC Level 2, any external cloud provider that stores, processes, or transmits CUI and/or is responsible for the control implementations related to SPD on your behalf must have a current FedRAMP Moderate authorization, higher, or equivalent. Failing to verify this authorization status, particularly when it comes to popular commercial cloud services, is a common mistake that organizations make. 

If this verification is missing, your organization cannot progress beyond phase 1 of the CMMC assessment. So it’s essential that you validate a vendor’s FedRAMP authorization status through the FedRAMP Marketplace or in the vendor’s Trust Center, if they have one, before including them in your in-scope environment.

Let Secureframe simplify the CMMC Level 2 scoping process

Secureframe’s cutting-edge automation and in-house team of compliance experts and former CMMC, FISMA, and FedRAMP auditors can help you automate asset discovery, prepare for a CMMC audit, and categorize systems with ease. Secureframe can:

• Integrate with your existing infrastructure to identify in-scope assets.
• Generate a System Security Plan (SSP) to help define and document CMMC assets and control implementations 
• Help you define and document your CMMC boundary.
• Align each asset with the required CMMC practices.
• Track changes in your environment to ensure ongoing CMMC compliance.
• Generate, track, and maintain Plan of Action & Milestones (POAM)

Whether you're preparing for a Level 2 self-assessment or an official C3PAO audit, we simplify the scoping process so you can focus on building a secure and compliant operation. Learn more by requesting a demo.