CMMCDocs.comBefore you implement a single security control, you need to answer a fundamental question: where does Controlled Unclassified Information exist in your environment? The answer defines your CMMC assessment boundary — the set of systems, networks, and people subject to all 110 NIST SP 800-171 requirements. Get this wrong, and you will either overspend on compliance (too broad) or have gaps that an assessor will find (too narrow).
Understanding Asset Categories
The CMMC assessment methodology categorizes assets within your environment. CUI Assets are systems that process, store, or transmit CUI. These are fully in scope and must meet all applicable requirements. Security Protection Assets are systems that provide security functions for the CUI environment — firewalls, SIEM, antivirus management servers, identity providers. These are in scope because they protect CUI assets. Contractor Risk Managed Assets are systems that can, but are not intended to, process CUI. These require risk-based assessment. Specialized Assets include IoT devices, operational technology, and test equipment that may be in scope depending on their interaction with CUI. Out-of-Scope Assets have no connection to the CUI environment.
Mapping CUI Flow
Start by tracing how CUI enters your organization. Does it arrive via email, file transfer, a government portal, or physical media? Track where it goes next — which servers store it, which applications process it, which users access it, and which devices display it. Map the entire lifecycle from receipt through processing, storage, transmission, and eventual destruction.
This data flow analysis reveals every system that touches CUI and therefore falls within your boundary. It also reveals systems that do not need to touch CUI but currently do — these are candidates for scope reduction.
Scope Reduction Strategies
The most effective way to reduce compliance cost is to shrink your CUI boundary. Strategies include network segmentation (isolating CUI systems on a separate VLAN or physical network), dedicated CUI workstations (rather than allowing CUI access from every corporate laptop), cloud isolation (using a separate GCC High tenant for CUI workloads), and process changes that eliminate unnecessary CUI handling.
Every system you move out of scope is a system that does not need to meet 110 security requirements, does not need to be documented in your SSP, and does not need to be assessed. The ROI on scope reduction is often better than the ROI on implementing controls across a broad environment.
Documenting Your Boundary
Your SSP must include a clear description of the assessment boundary. Include a network diagram showing the CUI boundary, all CUI assets, security protection assets, and the data flows between them. Identify every boundary crossing point and the controls at each one. An assessor will use this documentation to plan their assessment — if the boundary is unclear, the assessment will be difficult for everyone.
Common Scoping Mistakes
The most common mistake is under-scoping: claiming a narrow boundary while CUI actually flows beyond it. If users access CUI email on their personal phones, those phones are in scope. If CUI is backed up to a NAS device, that NAS is in scope. If the IT admin's workstation has admin access to CUI servers, that workstation is in scope. Be thorough and honest in your scoping analysis.