Out of Scope

Out-of-Scope (OOS) assets are systems, networks, or facilities that have no role in handling, protecting, or supporting the in-scope Controlled Unclassified Information environment. They are excluded from the CMMC Level 2 authorization boundary and are not assessed by the C3PAO.

For an asset to be legitimately out of scope, the contractor must demonstrate: (1) the asset cannot reach the in-scope environment over the network; (2) it does not share infrastructure with in-scope assets; (3) it does not provide supporting services to the in-scope environment; and (4) there is no path by which a compromise of the OOS asset could affect CUI.

Many contractors carve their CMMC scope down by establishing a logically isolated CUI enclave (often a separate Microsoft 365 GCC High tenant or a dedicated network segment) and declaring the rest of the corporate environment out of scope. This is a common and effective scoping strategy.