Scoping & Boundary

Scoping and boundary definition is the foundational step of any CMMC Level 2 program. Before you can implement controls, write an SSP, or schedule an assessment, you must define the authorization boundary: the specific set of people, processes, hardware, software, and facilities that handle Controlled Unclassified Information.

The DoD's CMMC Assessment Scoping Guide for Level 2 categorizes assets into five types: Information System (IS) assets that process, store, or transmit CUI; Security Protection Assets (SPAs) that provide security functions for the IS; Contractor Risk Managed Assets (CRMAs) that could affect the IS but are not directly handling CUI; Out-of-Scope assets; and Specialized Assets (which have their own treatment).

The authorization boundary determines what the C3PAO will assess. A poorly drawn boundary either pulls too much into scope (making the assessment harder than it needs to be) or too little (failing to protect CUI that is actually flowing through unprotected systems). Scoping is one of the first things a C3PAO will challenge during the assessment.