Most teams approach Cybersecurity Maturity Model Certification (CMMC) Level 2 as a list of one hundred and ten controls to satisfy. That framing is correct but incomplete. Before any control applies, you have to decide where it applies. That decision is your assessment scope, and it is the most consequential and most frequently mishandled part of the entire effort.
Over-scope and you pay to secure systems that never touch sensitive data. Under-scope and an assessor finds Controlled Unclassified Information on a system you excluded, which can end an assessment before it finishes. This guide explains how to draw the boundary deliberately.
Start with the data, not the network
CMMC Level 2 protects Controlled Unclassified Information (CUI). Level 1, by contrast, protects only Federal Contract Information and carries fifteen basic safeguarding requirements. Level 2 aligns fully with NIST SP 800-171 and its one hundred and ten requirements across fourteen families. The first scoping question is therefore not architectural. It is informational: where does CUI actually live, move, and rest in your organization?
- Identify every contract and data flow that introduces CUI.
- Trace each flow through email, file storage, collaboration tools, endpoints, and any printed output.
- Note where CUI is created, where it is received, and where it is transmitted onward to subcontractors.
The question that reframes every engagement
A team will report that all CUI is in the cloud, and then an assessor asks whether anything is ever printed. The moment the answer is yes, physical facilities, devices, and personnel re-enter scope. Scope is defined by where CUI exists, not by where you would prefer it to exist.
Sort assets into the CMMC categories
The program defines several asset categories, and each is treated differently in an assessment. The practical goal is to keep the set of assets that store, process, or transmit CUI as small and as clearly bounded as is realistic, while honestly accounting for the systems that protect or connect to that boundary.
CUI assets
that store, process, or transmit Controlled Unclassified Information. These are fully in scope.
Security protection assets
that provide security functions to the boundary, such as identity providers and logging systems.
Contractor risk managed assets
that can access the environment but are governed by policy rather than full assessment.
Out-of-scope assets
that are physically or logically separated and never handle CUI.
Decide on enclave versus whole-tenant
There are two broad architectures. You can place the entire organization inside a compliant environment, or you can stand up a separate enclave scoped specifically for CUI while the rest of the business continues in a commercial environment. For most small and midsize contractors, a deliberately scoped enclave is the more economical and more defensible choice, because it shrinks the boundary to the systems that genuinely require it.
The enclave decision is tightly coupled to your cloud environment. If your CUI is export-controlled under ITAR or EAR, or if a contract requires United States persons only to administer the systems, the enclave generally has to run in a sovereign environment. We cover that decision in detail in our guide to choosing between Microsoft 365 Commercial, GCC, and GCC High.
Write the System Security Plan (SSP) to match reality
Both self-assessments and third-party assessments require a System Security Plan that describes the assessment scope, the major system components, and how each control is implemented. The plan has to describe the environment that actually exists. A common and expensive failure is a plan that describes intended practices that are not consistently performed. Documented practices that the environment does not actually follow do not survive an assessor's scrutiny.
Pressure-test the boundary before the assessor arrives
A gap assessment is not a formal step in certification, but it is the most useful first move available to you. It is a point-in-time review of your current program against the requirements, and it surfaces scoping errors while they are still inexpensive to fix. Many organizations conduct gap, readiness, and mock assessments at different stages. Treating the readiness review as a separate workstream, rather than a footnote inside remediation, is one of the clearest markers of teams that pass cleanly.
110
NIST SP 800-171 Requirements at CMMC Level 2
14
Control Families
180 Days
Maximum window to Close a POA&M Item
Why scoping is where a partner earns their keep
A configuration change cannot fix a scoping error. By the time an under-scoped boundary is discovered, the cost is measured in re-assessment fees and lost contract time. Scoping rewards judgment built from many engagements: knowing which assets a particular assessor will challenge, where CUI tends to leak across boundaries, and how to keep an enclave small without leaving a gap. That judgment is the core of what YGI Solutions brings to a Level 2 program, and it is the hardest part to build from scratch under contract pressure.