CMMC Level 2 Scoping CUI Assets CRMA Assessment Boundary // 7 MIN READ

CMMC Level 2 Assessment Scope Explained

Where CUI Makes Systems In Scope

Before you can implement a single CMMC control, you have to answer one question: what, exactly, are you protecting? The answer determines whether your CMMC certification costs $50,000 or $500,000.

CMMC Level 2 scoping is the process of drawing a boundary around every person, system, and facility that handles Controlled Unclassified Information — then classifying everything inside that boundary into one of five DoD-defined asset categories. The category an asset falls into determines how rigorously it gets evaluated.

The "Process, Store, or Transmit" Trigger

Three words drive all CMMC scoping. Any asset that does any one of these things with CUI enters the assessment scope.

Process

CUI is accessed, entered, edited, generated, manipulated, or printed. This is broader than most contractors assume.

Store

CUI is inactive or at rest on an asset — on a drive, in memory, on paper.

Transmit

CUI moves from one asset to another — across a network, via email, on removable media.

"Process" is the word that creates surprises. If an employee uses a remote VDI session to view CUI, the local laptop screen is visually displaying that data — which constitutes processing a view. Without compensating controls documented in the SSP, that laptop is in scope. The data doesn't need to download for the device to qualify.

"Process" in CMMC scoping includes viewing, printing, and generating CUI — not just computation. Any device used to see CUI is a candidate for in-scope classification.

The Five Official Asset Categories

Tier 1 — Full Assessment (All 110 CMMC Practices) Every applicable control evaluated

CUI Assets

Actively process, store, or transmit CUI

Security Protection Assets (SPA)

Provide security functions for the CUI environment

Tier 2 — SSP Assessment Only Spot checks if documentation raises concerns

Contractor Risk Managed Assets (CRMA)

Can but are not intended to touch CUI — controlled by policy

Specialized Assets

IoT, OT, GFE, biometrics — Enduring Exception eligible

Tier 3 — Not Assessed Physically or logically isolated — no CUI contact

Out-of-Scope Assets

Zero CUI exposure. Zero assessment requirement. Isolation must be demonstrable.

Getting your tier assignment wrong is one of the most expensive mistakes in CMMC preparation. An asset miscategorized as Out-of-Scope that an assessor finds holding CUI can halt an entire assessment. An asset overcategorized as a CUI Asset when it is truly a CRMA wastes remediation budget on controls it doesn't need.
  • CUI Assets

    Assets that actively process, store, or transmit CUI. Assessed against all 110 applicable CMMC practices. Examples: file servers, engineer workstations, cloud storage in GCC High, email systems receiving CUI from DoD.

  • Security Protection Assets (SPA)

    Assets that provide security functions for your CUI environment — irrespective of whether they touch CUI directly. Firewalls, SIEM platforms, EDR tools, Active Directory, vulnerability scanners, and any MSP managing security on your behalf. Compromising any of these could expose CUI.

  • Contractor Risk Managed Assets (CRMA)

    Assets that can, but are not intended to, process, store, or transmit CUI — controlled by risk-based policy, not physical separation. Assessed only through SSP documentation review. If CUI is found, the asset immediately becomes a CUI Asset.

  • Specialized Assets

    IoT devices, operational technology, government-furnished equipment, and test equipment. Documented in the SSP. Eligible for an Enduring Exception where full compliance is not achievable.

  • Out-of-Scope Assets

    Assets physically or logically isolated from all CUI and security functions. Not assessed — but the isolation must be demonstrable. A claimed Out-of-Scope designation without documented controls will not survive assessor review.

The CRMA Dilemma: Why Documentation Has to Be Airtight

If you have 800 computers on your network and claim 790 are CRMAs that don't touch CUI, an assessor will not take your word for it. They perform random sampling on CRMAs. Finding CUI on a single one reclassifies it as a CUI Asset and can stop the assessment.

What makes CRMA classification defensible:

  • VLAN segmentation or access control lists that technically prevent CRMAs from reaching CUI storage
  • Acceptable Use Policies explicitly prohibiting CUI handling, with signed employee acknowledgments
  • Monitoring logs showing no CUI access
  • SSP documentation explaining the risk-based rationale for each CRMA group
The CRMA category is a legitimate tool — but it requires evidence, not just a policy statement. The more CRMAs you claim, the more documentation you need to justify them.

Scope Reduction: Shrink the Assessment, Cut the Cost

⚠ Flat Network — High Cost
CUI Server — Stores CUI
HR Laptop — No CUI role
Mfg. PC — Factory floor
Entire network in scope
All 3 devices assessed against all 110 controls — including the HR laptop that never touches CUI.
✓ VLAN Segmented — Low Cost
CUI Enclave — In Scope
🔒 Firewall / VLAN Barrier
HR Laptop — CRMA
Mfg. PC — Out of Scope
Assessment shrinks to enclave only
HR laptop and Manufacturing PC become CRMAs or Out-of-Scope assets.

The most powerful cost lever in CMMC is not cheaper controls — it is fewer assets that need controls. Three approaches work reliably:

  • The enclave approach: Confine all CUI to a small, FedRAMP-authorized environment like Microsoft GCC High. Everything outside the enclave becomes Out-of-Scope or CRMA. The assessment evaluates only the enclave.
  • VLAN segmentation: Place CUI Assets on a dedicated VLAN with firewall rules blocking CRMA access. Technical controls support CRMA classifications and reduce assessor sampling.
  • Physical controls: Rooms displaying CUI on screens need window covers, privacy filters, and cipher-lock access documented in the SSP. Visual display is processing.
  • Strict need-to-know: Every person and system removed from CUI access is a potential reclassification from CUI Asset to CRMA or Out-of-Scope.

The Bottom Line

Your CMMC Level 2 assessment is only as expensive as you make your scope. The DoD's five asset categories give you the tools to make deliberate, defensible decisions about what gets assessed and what does not. But those decisions only hold if your data flow diagram, network diagram, asset inventory, and SSP all tell the same consistent story.

The first thing a C3PAO assessor reviews is your scoping documentation. If they cannot see a clear, defensible boundary — with documentation that all tells the same consistent story — the assessment starts in trouble before a single control is evaluated.

Related Articles

CMMC Enclaves: Scope Reduction with SegmentationCMMC Remote Work ScopingSecurity Protection Data (SPD): Why Logs Expand Your ScopeFCI vs CUI for CMMC: Identification and MarkingsHow to Write a CMMC System Security Plan (SSP)