CMMC Level 2 Scoping Guidance

Written By Brian Hubbard

The CMMC Level 2 Scoping Guidance outlines how contractors must identify and categorize assets in their environment when preparing for an assessment related to Controlled Unclassified Information (CUI). This applies to both self-assessments and third-party/government-led assessments.

The guidance defines the following asset categories:

  • CUI Assets – Systems that process, store, or transmit CUI; always in scope.

  • Security Protection Assets – Systems that provide security functions to CUI assets (e.g., firewalls, endpoint protection); also in scope.

  • Contractor Risk Managed Assets (CRMAs) – Assets that do not process CUI by design and policy, but are not separated from CUI assets. These must be included in documentation (SSP, inventory, diagrams) but are not assessed against CMMC practices unless documentation is insufficient.

  • Specialized Assets – Operational technology, IoT, and government-furnished equipment; handling is context-dependent.

  • Out-of-Scope Assets – Assets that do not touch CUI or provide security to in-scope systems and are properly isolated.

This guidance helps organizations define system boundaries, properly document non-CUI systems, and ensure only relevant systems are assessed for Level 2 compliance.

https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL2v2.pdf

Brian Hubbard
Previous

CMMC Level 1 Self-Assessment Guide
Next

CMMC Level 2 Assessment Guide