CMMC Level 3 Scoping Guidance

Written By Brian Hubbard

The CMMC Level 3 Scoping Guidance (v2.13) outlines how DoD contractors must identify and document systems and assets in preparation for a Level 3 certification assessment, as defined in 32 CFR § 170.19. This guide is for organizations handling highly sensitive Controlled Unclassified Information (CUI) that supports national security missions.

Key asset categories in the Level 3 scope include:

  • CUI Assets – Systems that process, store, or transmit CUI. This includes assets designated as Contractor Risk Managed Assets (CRMAs) in Level 2, which are treated as CUI Assets at Level 3.

  • Security Protection Assets – Systems providing security services (e.g., firewalls, monitoring tools); subject to full assessment.

  • Specialized Assets – Such as IoT, OT, test equipment, and GFE; require documentation and are assessed against relevant Level 3 requirements.

  • Out-of-Scope Assets – Must not interact with CUI and must be physically or logically separated; no assessment required.

All in-scope assets must be documented in an asset inventory, System Security Plan (SSP), and network diagram, and are subject to Level 2 and Level 3 security requirements. Only DCMA DIBCAC (government assessors) are authorized to perform Level 3 assessments.

https://dodcio.defense.gov/Portals/0/Documents/CMMC/ScopingGuideL3v2.pdf

Brian Hubbard
Previous

CMMC Level 3 Assessment Guide
Next

CMMC Hashing Guide