CMMC Scoping
In the final part of the CMMC Level 2 scoping series, Amira Armond and Mark Hapeman of Kieri Solutions explain how to determine when assets are considered truly out of scope. They walk through the official scoping guide definition and emphasize that out-of-scope assets must not process, store, or transmit CUI—and must not provide security protections for CUI assets. They clarify the role of firewalls, physical and logical separation, and even administrative controls like policies in supporting out-of-scope designations. The video also explores Virtual Desktop Infrastructure (VDI) endpoints, vendor-managed systems, MSPs, and subcontractor relationships. Key takeaway: assessors won’t evaluate out-of-scope assets—but organizations must be prepared to justify their designation clearly during the scoping process.