What Is Actually In Scope for Your CMMC Assessment?
Answer a few questions and get a practical, assessor-minded view of what may be in scope, what may be a Security Protection Asset, and where your boundary may need more work.
Before you begin
This is an educational scoping estimate. Final scope should be validated against your actual CUI data flows, asset inventory, SSP, network diagrams, and provider responsibility matrix.
- ~5 minutes, seven short sections
- Branching logic for VDI / Cloud PC environments
- You can answer “Not sure” any time. We'll flag what to confirm later.
What counts as CUI for scoping?
For CMMC, what matters is whether an asset processes, stores, or transmits CUI. The CMMC Scoping Guide (Level 2) defines those three terms as follows:
- Process. CUI can be used by an asset (for example, accessed, entered, edited, generated, manipulated, or printed).
- Store. CUI is inactive or at rest on an asset (for example, located on electronic media, in system component memory, or in physical format such as paper documents).
- Transmit. CUI is being transferred from one asset to another asset (for example, data in transit using physical or digital transport methods).
Any asset that processes, stores, or transmits CUI is a CUI Asset and is in the CMMC Assessment Scope. If you are not sure whether your contracts include CUI, start with your contracting officer or your prime. They can confirm whether DFARS clauses 252.204-7012, 7019, 7020, or 7021 apply to your work.
The five asset categories in CMMC, simplified
CMMC Level 2 scoping puts every asset into one of five categories. Knowing which bucket each system lives in is the foundation of an efficient assessment.
- CUI Assets. Anything that processes, stores, or transmits CUI. The full set of Level 2 security requirements applies.
- Security Protection Assets. Anything that provides a security function or capability to a CUI Asset. Examples include firewalls, EDR, identity providers, MFA, SIEM, and your MSP if they have administrative access. They are assessed against the Level 2 requirements relevant to the capabilities they provide.
- Contractor Risk Managed Assets. Assets that are capable of, but not intended to, process, store, or transmit CUI because of the security policies in place. They are documented and reviewed, but they do not automatically get assessed against every Level 2 requirement.
- Specialized Assets. Government Furnished Equipment, IoT or IIoT devices, Operational Technology, Restricted Information Systems, and Test Equipment. They are documented and managed under risk-based policies, and not assessed against every Level 2 requirement.
- Out-of-Scope Assets. Assets that cannot process, store, or transmit CUI and do not provide security protections to CUI Assets. They are excluded from the assessment.
How VDI or Cloud PC affects your scope
A virtual desktop or Cloud PC like Azure Virtual Desktop or Windows 365 can shrink scope dramatically, but only if you actually keep CUI inside the virtual environment. If users can download files to their laptop, copy CUI to the clipboard, print to a home printer, or plug in a USB flash drive, the local device receives CUI and becomes a CUI Asset. At that point you have reproduced the same scope you were trying to avoid.
The CMMC Scoping Guide is explicit on this point. An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of CUI beyond keyboard, video, and mouse sent to the VDI client is considered an Out-of-Scope Asset. Any redirection that lets CUI leak to the local device breaks that condition.
Treat the VDI as a boundary you must enforce with technical controls and prove with evidence: redirection policies blocking downloads, clipboard, drives, and printers; Conditional Access on who can sign in; DLP on data in motion; and session monitoring on what users do.
Are BYOD devices in scope?
If a personal device can download CUI, cache it locally, sync it, print it, copy it, or save it to local storage, it should be treated as a CUI Asset.
To keep BYOD endpoints out of scope, organizations usually need to prevent CUI from reaching the local device. A VDI or controlled web application may support this approach when CUI stays inside the managed environment and users cannot download, copy, print, sync, or save it locally.If CUI is not permitted in email, and users only access non-CUI email or a company portal through a managed or containerized app, the phone may stay out of the CUI asset boundary. The key is whether CUI can reach the phone, not whether the phone is personally owned.
Is email in scope?
If CUI ever enters or sits in a mailbox, your email system is a CUI Asset. That means the mailboxes, the underlying email service (Exchange Online, GCC High, and so on), and the user accounts that send and receive CUI all need to meet CMMC Level 2 controls. Email security gateway, DLP, journaling, and retention are usually Security Protection Assets supporting that mailbox scope.
Email is one of the most overlooked CUI ingress points. Walk a few days of inbound mail before you finalize scope.
Should you use Microsoft 365 Commercial for CUI?
Short answer: no. Microsoft 365 Commercial is the default tenant most organizations sign up for, but it is not FedRAMP authorized to the levels DFARS 252.204-7012 requires for CUI handling. For CUI workloads, you typically need Microsoft 365 GCC High, which has the authorizations and contractual terms designed for CUI.
Microsoft 365 GCC sits between Commercial and GCC High, and may be acceptable for some scenarios but not others. Confirm with your contracting officer, your prime, and your Microsoft licensing partner before relying on it. If you currently process CUI in Commercial and your contract includes the relevant DFARS clauses, plan a migration to GCC High well before your CMMC assessment.
Is your physical facility in scope?
If CUI is processed, stored, printed, or even discussed in a physical space your organization controls, that space is part of your CMMC scope. Workstations in general office areas, conference rooms where CUI is shown on screens, server rooms hosting on-prem CUI systems, print and scan stations, and storage cabinets for hard-copy CUI are all CUI Assets in the physical sense.
Do not overlook voice. If CUI is discussed over VOIP phones, the phones themselves, the call manager, the voicemail or call recording system, and any softphone clients on user devices can become CUI Assets, and the physical area where those calls take place comes into scope. The same applies to video conferencing systems that handle CUI discussions.
The most common physical-scope mistakes are handling CUI in unrestricted general office areas without badge access, printing CUI without a media protection procedure, and forgetting that conference room discussions of CUI are themselves a form of processing.
What is a Customer Responsibility Matrix?
When a cloud provider, MSP, or MSSP performs security functions on your behalf, you and they share the work. Only one of you actually performs each control. A Customer Responsibility Matrix (CRM) is the document that says who does what, line by line. Without it, you cannot prove which controls are yours, which are theirs, and how the inheritance works.
Assessors will ask for one for every External Service Provider in scope. Build it before assessment, not during.
Common scoping mistakes that catch organizations off guard
- Assuming “we use Microsoft 365” is your full scope statement. In a cloud-only environment where all CUI lives inside your tenant, the tenant boundary may be your CMMC boundary. In a hybrid environment, the tenant alone is not the boundary; on-prem systems, local endpoints, and other cloud services that touch CUI also need to be in scope.
- Storing or processing CUI in Microsoft 365 Commercial. The commercial tier is not FedRAMP authorized for CUI handling under DFARS 252.204-7012.
- Assuming a VDI shrinks scope without verifying clipboard, USB, print, and download policies.
- Forgetting that BYOD devices that touch CUI become CUI Assets.
- Treating MSPs as out-of-scope vendors when they have administrative access to your environment.
- Not documenting where CUI lives physically, including printed copies, conference rooms, server closets, and VOIP call paths.
- Missing the email path. Email is one of the most common CUI ingress points.
- Allowing split tunneling on CUI-handling endpoints, which lets traffic bypass network controls.
What “in scope” actually means
The CMMC Scoping Guide (Level 2) defines an Assessment, per 32 CFR § 170.4, as “the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization.” The CMMC Assessment Scope is the set of assets within your environment that will be assessed.
In practical terms, if an asset is in your CMMC Assessment Scope as a CUI Asset, every applicable Level 2 security requirement will be tested on it: access enforcement, audit logging, encryption, configuration management, incident response, media protection, and so on. Reducing scope means fewer assets to test, fewer pieces of evidence to produce, and a faster, less expensive assessment, but only if the boundary is real and provable.
References
Definitions and direct quotes on this page come from the official CMMC Scoping Guide (Level 2), DoD CIO. For the canonical text and the most recent version, refer to the DoD CIO CMMC documentation page.