CMMC Scoping Guide: CUI Boundary, Enclave Strategy & SSP Checklist
The biggest mistake defense contractors make is scoping wrong β either pulling the whole company into assessment scope (expensive) or drawing a boundary a C3PAO won't accept (catastrophic). This guide fixes both.
50β70%
Assessment cost reduction with proper enclave
6
Asset categories defined by DoD
Nov '26
C3PAO mandate deadline
Scoping in 5 steps
1
Find CUI β where does it enter, live, and exit?
2
Classify every asset using DoD's 6 categories
3
Design your boundary β enclave or full-org?
4
Enforce the boundary β technically, not just on paper
5
Document in your SSP β what C3PAOs actually evaluate
The CMMC assessment scope determines which systems, people, and processes a C3PAO evaluates against all 110 NIST 800-171 controls. Scope too wide and you're paying to harden your marketing team's laptops. Scope too narrow β without technical enforcement to back it up β and an assessor can expand your scope on day one, blowing up your timeline and budget.
β Over-scoping
Entire corporate network in assessment boundary
All employees subject to CMMC training requirements
All workstations need endpoint hardening
C3PAO assesses every system = higher fees
Remediation cost 2β3x higher than necessary
Operational disruption across all departments
Ongoing maintenance burden for entire org
β Enclave approach
Only CUI-handling systems in assessment boundary
Only CUI users need full CMMC training
Enclave endpoints hardened; rest of org unaffected
C3PAO scope is smaller = lower assessment fees
50β70% lower remediation cost is common
Rest of business keeps operating normally
Maintenance focused on a defined, contained environment
Critical point: The DoD doesn't approve or reject your enclave architecture upfront. Your C3PAO assessor evaluates whether your scope definition is reasonable and your boundary controls are technically enforced. The enclave approach is explicitly recognized in CMMC guidance as a valid strategy β but the boundary must be real, not just documented on paper.
Every asset in your environment must be classified into one of six categories defined by the DoD's official CMMC Scoping Guide (32 CFR Β§170.19). Your classification determines whether each asset is fully in scope, partially in scope, or out of scope β and what documentation is required for each. Getting this classification right is the foundation of a defensible scope.
Category
What it means
Assessment scope
CUI Assets
Systems that process, store, or transmit CUI. These are the core assets your enclave is built around. Every CUI Asset must comply with all 110 NIST 800-171 controls. Examples: servers containing CUI databases, workstations used for CUI work, email systems receiving CUI, cloud storage holding CUI files.
Fully in scope
Security Protection Assets (SPAs)
Systems that provide security functions protecting CUI Assets but don't directly process CUI. Examples: firewalls, SIEM platforms, domain controllers, identity providers (Okta, Azure AD), vulnerability scanners, endpoint detection tools, log aggregators. If it fails, your CUI is at risk β it's in scope.
Fully in scope
Contractor Risk Managed Assets (CRMAs)
Systems that can connect to CUI Assets or SPAs but don't handle CUI. Examples: employee laptops on a shared network that have no direct CUI access, printers on the same VLAN, non-CUI servers with network adjacency. You manage risk with your own security policies β but assessors can inspect these if documentation is insufficient or findings raise questions.
Conditional
Specialized Assets
Assets with technical limitations preventing full CMMC control implementation. Examples: IoT devices, operational technology (OT), industrial control systems, test equipment, government-furnished equipment (GFE). Must be documented in the SSP with risk-based justification. Can qualify for an Enduring Exception if physically/logically isolated.
Conditional
Out-of-Scope Assets
Assets completely isolated from CUI Assets and SPAs β no network connection, no data flow, no shared services. Examples: a completely separate corporate network for HR/finance with no path to CUI systems. Physical or logical isolation must be technically enforced and documented. If there's any connection pathway, it's not truly out of scope.
Out of scope
External Service Providers (ESPs)
Third-party cloud or managed services that process, store, or transmit CUI on your behalf. Examples: Microsoft 365 GCC High, AWS GovCloud, managed security providers. Must be FedRAMP Authorized at Moderate or equivalent. ESP assets are part of your scope β they appear in your SSP and C3PAOs evaluate them through your documentation and their FedRAMP authorization.
In scope (inherited)
The CRMA trap: Many contractors assume systems that "don't touch CUI" are automatically out of scope. They're not β they're CRMAs, which are part of your assessment scope if they connect to CUI systems or SPAs. You document them with risk-based policies, but assessors can still inspect them. Only assets with zero connection pathways to your CUI environment are truly out of scope.
Part 1 of 4
CUI Discovery: Find Everything Before Your Assessor Does
You cannot define a defensible boundary until you know exactly where CUI lives. Most contractors are surprised by how many systems touch CUI once they map it thoroughly. A C3PAO who finds CUI in systems you claimed were out of scope will expand your assessment scope on the spot β and bill you accordingly.
CUI Discovery
0%complete
π§ How CUI enters your organization
Critical
Find CUI
Find CUI
Find CUI
πΎ Where CUI lives in your environment
Critical
Critical
Critical
Find CUI
Find CUI
Find CUI
π€ How CUI leaves your organization
SSP item
Critical
Find CUI
Pro tip: Walk through a single CUI deliverable from receipt to delivery β step by step, system by system. Every system it touches becomes a CUI Asset or SPA. This "data flow walk" surfaces scope items that asset inventories miss every time.
Part 2 of 4
Enclave Strategy: Full-Org vs. CUI Enclave
Once you know where CUI lives, you have a strategic choice: secure your entire organization to CMMC Level 2 standards, or isolate CUI into a defined enclave and only bring that portion of your environment into scope. For most small and mid-size contractors, the enclave approach is dramatically more cost-effective.
If only 3β10 people handle CUI out of a 50-person company, CMMC-hardening the other 40 people and their systems is a waste. Enclave those 3β10 people and their systems.
CUI is already concentrated
If your CUI discovery shows data is already concentrated in a few systems (a project server, a dedicated email account), building a wall around those systems is technically straightforward.
Mixed commercial / DoD business
If DoD work is a portion of your business alongside commercial clients, you don't want CMMC requirements affecting your commercial operations. Enclave keeps them separated.
Cost and timeline pressure
With the November 2026 C3PAO deadline, a smaller scope means faster remediation, lower cost, and an easier path to getting certified in time. Full-org approaches take longer.
When full-org scope makes more sense
CUI is everywhere
If your CUI discovery shows it touches most of your organization β most employees, most systems β the enclave is your entire company and there's nothing to isolate.
Primarily a DoD contractor
If the vast majority of your business is DoD work and most employees handle CUI, the overhead of maintaining two operating environments isn't worth the savings.
Already security-mature
If your whole company is already close to CMMC Level 2 compliance (strong ISO 27001 or SOC 2 program), the delta to bring everything in scope may be smaller than the complexity of maintaining an enclave.
Option 1: Cloud-based enclave (most common for SMBs)
Move all CUI to a FedRAMP-authorized cloud: Microsoft 365 GCC High for email/collaboration, Azure Government or AWS GovCloud for data storage. Users access via virtual desktop or managed devices. CUI never touches commercial cloud or local drives. Cloud provider inherits controls β you configure them correctly and document the inheritance in your SSP. Fastest path to enclave for most contractors.
Option 2: On-premises segmented network enclave
Create a physically or logically separate network segment (VLAN + firewall rules) for CUI systems. CUI workstations, servers, and peripherals are isolated from the general corporate network. Requires more internal technical work β firewall configuration, separate domain, separate switch infrastructure β but keeps data on-premise. Works well for contractors with existing IT infrastructure and mature internal security teams.
Option 3: Virtual desktop / VDI enclave
CUI lives in a centralized virtual desktop environment. Employees access the enclave via a thin client or managed device β CUI never downloads to local endpoints. Particularly effective when CUI users are distributed or remote. The virtual desktop infrastructure becomes the CUI Asset; local devices are CRMAs or out of scope if they truly never touch CUI. Ongoing per-user licensing cost is higher but reduces device-level compliance burden significantly.
Not sure which enclave approach fits your environment?
Run a free gap assessment β see your current NIST 800-171 score, which controls are failing, and get a recommended scoping approach.
The most common reason C3PAOs reject or expand an enclave scope is insufficient technical enforcement. A documented boundary that isn't backed by real technical controls isn't a boundary β it's a policy document. Every item below must be technically implemented AND documented. Check off each as you implement it.
Boundary Enforcement
0%complete
π Network boundary controls
Critical
Critical
Enclave
SSP item
π Access controls at the boundary
Critical
Critical
Enclave
Enclave
π« CUI spillage prevention
Critical
Enclave
Enclave
SSP item
π Monitoring inside the enclave
Critical
Enclave
Enclave
Critical
The C3PAO boundary test: Assessors evaluate your boundary through three lenses: (1) documentation β is the boundary clearly described in the SSP with network diagrams? (2) technical evidence β can you demonstrate firewall rules, access controls, and monitoring? (3) interviews β do your staff understand what can and can't cross the boundary? All three must pass. Documentation alone never satisfies a competent assessor.
Part 4 of 4
SSP Scope Documentation Checklist
Your System Security Plan (SSP) is the primary document a C3PAO evaluates. It must clearly define your scope, document your boundary, and describe how every applicable control is implemented. An incomplete or vague SSP is the single biggest cause of extended assessments and unexpected findings. Check off each SSP element as you document it.
SSP quality determines assessment duration: A well-organized, complete SSP where every section is clear and evidence is pre-organized can cut your C3PAO assessment time β and cost β significantly. Assessors bill by time. A vague SSP that requires constant clarification and evidence chasing is the most expensive SSP you can write.
Common Questions
CMMC Scoping FAQ
Can I just put everything in scope and avoid the complexity?+
You can, but for most small and mid-size contractors it's unnecessarily expensive. Full-org scope means every employee, every device, every system must meet all 110 NIST 800-171 controls β including your marketing team, HR systems, and corporate finance tools. The C3PAO will assess all of it. Remediation costs 2β3x more, assessment fees are higher, and ongoing compliance maintenance covers your entire organization. Unless CUI truly permeates your entire organization, a well-built enclave is almost always the better choice. That said, if your CUI discovery reveals that CUI is everywhere, full-org scope is the honest approach β a fabricated small enclave that doesn't match reality will fail assessment.
What's the difference between a CUI Asset and a Security Protection Asset?+
A CUI Asset directly processes, stores, or transmits CUI β a server with CUI files on it, an email account receiving CUI, a workstation used for CUI work. A Security Protection Asset provides security functions that protect CUI Assets but doesn't directly handle CUI β a firewall, your SIEM, your domain controller, your EDR platform, your MFA system. Both are fully in scope and subject to all 110 controls. The distinction matters for your asset inventory and SSP documentation, not for the level of security you apply to them.
Can I change my scope after the C3PAO assessment starts?+
No β not without significant consequences. Your scope is defined in your SSP and agreed upon with your C3PAO before the assessment begins. If an assessor discovers CUI assets that weren't in your declared scope, the scope will be expanded and the assessment continues against the larger scope. This is costly and may require additional assessment days. If you voluntarily discover out-of-scope CUI assets during pre-assessment preparation, the right move is to either bring them into scope and harden them, or implement controls that genuinely isolate them before assessment begins. Don't misrepresent scope β it's a federal contract integrity issue, not just a CMMC issue.
Do I need a separate domain controller for my enclave?+
Not necessarily β but if your corporate domain controller manages both enclave and non-enclave systems, it becomes a Security Protection Asset within your CMMC scope. The domain controller is effectively an SPA because it controls access to CUI systems. This is fine as long as it's included in your assessment scope, hardened to CMMC requirements, and documented in your SSP. Many contractors do run a dedicated enclave domain to keep scope clean β but it's an architectural choice, not a requirement. The key question is: can your C3PAO trace a clear, defensible line around what's in scope? A shared domain controller that's included in scope and properly secured satisfies this.
Does using Microsoft GCC High automatically satisfy CMMC requirements?+
GCC High is FedRAMP High authorized and covers a significant set of CMMC controls through inheritance β particularly physical security, infrastructure security, and platform-level controls. But it doesn't automatically satisfy CMMC. You're still responsible for correctly configuring GCC High (conditional access, MFA enforcement, DLP settings, audit log retention), for all the administrative and workforce controls (training, incident response, risk assessment), and for the configuration of every application running on top of Microsoft's infrastructure. Think of GCC High as a strong foundation that inherits many controls β you still have substantial configuration and governance work on top of it. Document the inheritance clearly in your SSP. See our CMMC Level 2 guide for more on cloud enclave options.
How does scoping affect what I pay for a C3PAO assessment?+
Directly β C3PAO assessment fees are largely driven by scope complexity: number of assets, number of users, number of systems to examine, and number of interview subjects. A contractor with 5 people in an enclave handling CUI, backed by a cloud provider inheriting most physical and infrastructure controls, will pay dramatically less for their assessment than one with 50 people across a full-org scope. Industry estimates for C3PAO assessments range from $15,000 for a tight, simple enclave to $100,000+ for complex, large-scope assessments. Proper scoping is the single most effective way to reduce your total CMMC program cost. See also: SPRS Score Explained and CMMC Cost & Timeline.
Ready to see your actual CMMC gaps?
Run a free gap assessment against all 110 NIST 800-171 controls. Get your estimated SPRS score, a control-by-control breakdown, and a prioritized remediation roadmap.
For informational purposes only. Not legal advice. CMMC requirements vary by contract β consult your contracting officer and a qualified RPO or C3PAO.