CMMC Scoping (Kieri Solutions)
In this 7-part video series, Amira Armond and Mark Hapeman from Kieri Solutions walk you through the official CMMC Level 2 scoping guidance released with the final rule. Each video focuses on a specific asset category—CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets—explaining how to identify them, what documentation is required, and how they’re treated during assessment. Whether you’re preparing for a self-assessment or a C3PAO certification, this series will help you understand how scoping decisions impact your compliance obligations and readiness.
-
-
Part 1: CMMC Scoping after the Final Rule – identifying CUI
In Part 1, Amira Armond and Mark Hapeman of Kieri Solutions explain what Controlled Unclassified Information (CUI) is and how to recognize it. They break down the differences between FCI and CUI, clarify common misconceptions, and show how to identify CUI using markings, contract context, and legal references. This foundational video helps viewers understand what data needs protection before beginning the CMMC scoping process.
In Part 1, Amira Armond and Mark Hapeman of Kieri Solutions explain what Controlled Unclassified Information (CUI) is and how to recognize it. They break down the differences between FCI and CUI, clarify common misconceptions, and show how to identify CUI using markings, contract context, and legal references. This foundational video helps viewers understand what data needs protection before beginning the CMMC scoping process.
-
Part 2: CMMC Scoping after the Final Rule – CUI Assets
In Part 2, Amira Armond and Mark Hapeman of Kieri Solutions walk through the basics of CMMC Level 2 scoping. They explain how to identify where CUI resides in your environment, discuss common scoping strategies, and introduce CUI asset categories. Viewers will learn why building a secure enclave is often the best path and how to start mapping systems, users, and facilities that interact with CUI.
In Part 2, Amira Armond and Mark Hapeman of Kieri Solutions walk through the basics of CMMC Level 2 scoping. They explain how to identify where CUI resides in your environment, discuss common scoping strategies, and introduce CUI asset categories. Viewers will learn why building a secure enclave is often the best path and how to start mapping systems, users, and facilities that interact with CUI.
-
Part 3: CMMC Scoping after the Final Rule – CUI Assets Continued
In Part 3, Amira Armond and Mark Hapeman of Kieri Solutions explain how to identify CUI assets—any systems, users, or services that process, store, or transmit CUI. They cover how assessors interpret “processing,” the impact of remote tools like VDI, and when assets fall under multiple categories. Viewers will learn how to scope accurately and determine which systems are subject to CMMC Level 2 requirements.
In Part 3, Amira Armond and Mark Hapeman of Kieri Solutions explain how to identify CUI assets—any systems, users, or services that process, store, or transmit CUI. They cover how assessors interpret “processing,” the impact of remote tools like VDI, and when assets fall under multiple categories. Viewers will learn how to scope accurately and determine which systems are subject to CMMC Level 2 requirements.
-
Part 4: CMMC Scoping after the Final Rule – SPA Assets
In Part 4, Amira Armond and Mark Hapeman of Kieri Solutions explain Security Protection Assets (SPAs)—systems, software, or people that support security functions in a CMMC Level 2 environment. Viewers learn how SPAs are scoped, what assessors will check, and how to document them effectively in the SSP without overextending scope.
In Part 4, Amira Armond and Mark Hapeman of Kieri Solutions explain Security Protection Assets (SPAs)—systems, software, or people that support security functions in a CMMC Level 2 environment. Viewers learn how SPAs are scoped, what assessors will check, and how to document them effectively in the SSP without overextending scope.
-
Part 5: CMMC Scoping after the Final Rule – CRMA
In Part 5, Amira Armond and Mark Hapeman of Kieri Solutions explain Contractor Risk Managed Assets (CRMAs)—systems that aren’t intended to handle CUI but reside on the same network. Viewers learn how to document and secure CRMAs, what assessors will review, and how to avoid reclassification as CUI assets through proper policies and incident response.
In Part 5, Amira Armond and Mark Hapeman of Kieri Solutions explain Contractor Risk Managed Assets (CRMAs)—systems that aren’t intended to handle CUI but reside on the same network. Viewers learn how to document and secure CRMAs, what assessors will review, and how to avoid reclassification as CUI assets through proper policies and incident response.
-
Part 6: CMMC Scoping after the Final Rule – Specialized Assets (SPA)
In Part 6, Amira Armond and Mark Hapeman of Kieri Solutions cover Specialized Assets—systems that handle CUI but can’t be fully secured. Viewers learn about the five allowed categories, how assessors treat them differently, and how to document risk-based protections in the SSP without triggering full assessment.
In Part 6, Amira Armond and Mark Hapeman of Kieri Solutions cover Specialized Assets—systems that handle CUI but can’t be fully secured. Viewers learn about the five allowed categories, how assessors treat them differently, and how to document risk-based protections in the SSP without triggering full assessment.
-
Part 7: CMMC Scoping after the Final Rule –Out of Scope Items
Not every system in your organization needs to be assessed. In this final part of the series, Amira Armond and Mark Hapeman explain how to identify truly out-of-scope assets—those that neither process CUI nor secure CUI assets—and what assessors expect as justification. Learn how boundaries, firewalls, and policies play a role, and why clarity during your scoping call is essential.
Not every system in your organization needs to be assessed. In this final part of the series, Amira Armond and Mark Hapeman explain how to identify truly out-of-scope assets—those that neither process CUI nor secure CUI assets—and what assessors expect as justification. Learn how boundaries, firewalls, and policies play a role, and why clarity during your scoping call is essential.
-