.jpg?ext=.jpg)
Three Steps to Lock Down Your CMMC Boundary
.png?ext=.png)
Many organizations in the Defense Industrial Base (DIB) may not realize that scoping before a CMMC 2.0 assessment can be the most important step in the CMMC compliance journey. Establishing a scope without careful thinking can result in paying more for your assessment, investing more than you need to invest in preparing for CMMC, and more.
Scoping is not just a preliminary checklist. A scope that is too small can result in failing an assessment. If the scope is too large, organizations experience wasted money and time.
Here are three steps to make sure you define your scope well.
1. Identify Your Asset Categories
You cannot protect what you haven't identified. Under CMMC (specifically following the logic of Scoping Guidance for Level 2), you need to categorize every single thing that touches Controlled Unclassified Information (CUI).
We categorize these into four distinct buckets:
- CUI Assets: These are the "hot" assets. They process, store, or transmit CUI. They are the primary focus of your assessment.
- Security Protection Assets: These are the guardians. Your firewalls, your MFA servers, your SOC tools. Even if they don't "hold" CUI, they protect it, which means they are in scope and must meet the requirements.
- Out-of-Scope Assets: These are assets that cannot process, store, or transmit CUI. The goal is to maximize this list through smart architecture.
- Specialized Assets: Think IoT, OT, and Test Equipment. These require a nuanced approach, but they cannot be ignored.
The logic is simple: follow the data. Map the flow of CUI from the moment it hits your environment until the moment it leaves. If a machine even looks at a CUI file, it’s in the cage.
2. The Power of Segregation and Separation
If your guest Wi-Fi can talk to your engineering server where the blueprints live, your entire building is in scope. That is a recipe for a very expensive, very painful assessment.
You need to lean heavily into segmentation. By using VLANs, physical separation, and robust firewalls, you can create a "CUI Enclave." Think of it as a vault within a bank. By isolating the assets that handle sensitive defense data from the rest of your corporate environment (like HR or general accounting), you shrink the "Assessment Boundary."
Why does this matter? Because every asset inside that boundary must be assessed against all 110 practices of NIST SP 800-171. If you can move 50 workstations out of scope through proper segregation, you’ve just saved yourself hundreds of hours of evidence collection.
3. Vet Your External Service Providers (ESPs)
Many organizations use cloud storage, managed IT services (MSPs), or security providers (MSSPs). It is important to remember that you can outsource the work, but you cannot outsource the accountability.
When you use an External Service Provider to handle CUI or provide security services, they become part of your scope.
- Cloud Providers: Ensure they meet the FedRAMP Moderate (or equivalent) requirements.
- MSPs/MSSPs: If your MSP has administrative access to your CUI environment, they are a massive variable. Under the current rules, these providers will likely need their own CMMC certification or be heavily scrutinized during your assessment.
Before you sign Scope of Work document with a vendor, ask for their SOC 2 reports, their shared responsibility matrix, and their own CMMC status. If they can’t provide clear evidence of how they protect your data, they are a liability to your certification.
The Bottom Line for CMMC Compliance
Scoping can be where the battle is won or lost. It requires a focused, clinical look at your infrastructure.
At Smithers, we understand that as an authorized C3PAO, our job is to ensure that when we step into the room for your assessment, the boundaries are clear and the evidence is solid. Start with these three steps, and you’ll be miles ahead of the competition.
Questions About CMMC Scope?
Smithers understands that setting the scope for a CMMC 2.0 assessment can be intimidating. Contact us today to ask us questions.