CMMC Level 2 Scoping CUI Assets CRMA Assessment Boundary // 7 MIN READ

CMMC Level 2 Assessment Scope Explained

Where CUI Makes Systems In Scope

Before you can implement a single CMMC control, you have to answer one question: what, exactly, are you protecting? The answer determines whether your CMMC certification costs $50,000 or $500,000.

CMMC Level 2 scoping is the process of identifying every person, device, system, and facility that processes, stores, or transmits Controlled Unclassified Information (CUI), then classifying each asset into one of five DoD-defined categories under 32 CFR Part 170. This scoping exercise, required before any C3PAO assessment under DFARS 252.204-7021, determines the assessment boundary documented in your System Security Plan (SSP). The category an asset falls into determines how rigorously it gets evaluated against NIST SP 800-171 controls.

What does "process, store, or transmit" mean for CMMC scoping?

Three words drive all CMMC scoping. Any asset that does any one of these things with CUI enters the assessment scope.

Process

CUI is accessed, entered, edited, generated, manipulated, or printed. This is broader than most contractors assume.

Store

CUI is inactive or at rest on an asset — on a drive, in memory, on paper.

Transmit

CUI moves from one asset to another — across a network, via email, on removable media.

Figure: The three CUI handling actions that trigger CMMC scoping — any one is sufficient to bring an asset into the assessment boundary.

"Process" is the word that creates surprises. If an employee uses a remote VDI session to view CUI, the local laptop screen is visually displaying that data — which constitutes processing a view. Without compensating controls documented in the SSP, that laptop is in scope. The data doesn't need to download for the device to qualify.

"Process" in CMMC scoping includes viewing, printing, and generating CUI — not just computation. Any device used to see CUI is a candidate for in-scope classification.

What are the 5 CMMC asset categories?

Tier 1 — Full Assessment (All 110 CMMC Practices) Every applicable control evaluated

CUI Assets

Actively process, store, or transmit CUI

Security Protection Assets (SPA)

Provide security functions for the CUI environment

Tier 2 — SSP Assessment Only Spot checks if documentation raises concerns

Contractor Risk Managed Assets (CRMA)

Can but are not intended to touch CUI — controlled by policy

Specialized Assets

IoT, OT, GFE, biometrics — Enduring Exception eligible

Tier 3 — Not Assessed Physically or logically isolated — no CUI contact

Out-of-Scope Assets

Zero CUI exposure. Zero assessment requirement. Isolation must be demonstrable.

Table: CMMC Level 2 asset tier matrix — five categories from full assessment (CUI Assets, SPAs) to SSP-only review (CRMAs, Specialized Assets) to not assessed (Out-of-Scope).
Getting your tier assignment wrong is one of the most expensive mistakes in CMMC preparation. An asset miscategorized as Out-of-Scope that an assessor finds holding CUI can halt an entire assessment. An asset overcategorized as a CUI Asset when it is truly a CRMA wastes remediation budget on controls it doesn't need.
  • CUI Assets

    Assets that actively process, store, or transmit CUI. Assessed against all 110 applicable CMMC practices. Examples: file servers, engineer workstations, cloud storage in GCC High, email systems receiving CUI from DoD.

  • Security Protection Assets (SPA)

    Assets that provide security functions for your CUI environment — irrespective of whether they touch CUI directly. Firewalls, SIEM platforms, EDR tools, Active Directory, vulnerability scanners, and any MSP managing security on your behalf. Compromising any of these could expose CUI.

  • Contractor Risk Managed Assets (CRMA)

    Assets that can, but are not intended to, process, store, or transmit CUI — controlled by risk-based policy, not physical separation. Assessed only through SSP documentation review. If CUI is found, the asset immediately becomes a CUI Asset.

  • Specialized Assets

    IoT devices, operational technology, government-furnished equipment, and test equipment. Documented in the SSP. Eligible for an Enduring Exception where full compliance is not achievable.

  • Out-of-Scope Assets

    Assets physically or logically isolated from all CUI and security functions. Not assessed — but the logical isolation must be demonstrable through network segmentation evidence and firewall rules. A claimed Out-of-Scope designation without documented controls will not survive assessor review.

What evidence do CMMC assessors require for CRMA classification?

If you have 800 computers on your network and claim 790 are CRMAs that don't touch CUI, an assessor will not take your word for it. They perform random sampling on CRMAs. Finding CUI on a single one reclassifies it as a CUI Asset and can stop the assessment.

What makes CRMA classification defensible:

  • VLAN segmentation or access control lists that technically prevent CRMAs from reaching CUI storage
  • Acceptable Use Policies explicitly prohibiting CUI handling, with signed employee acknowledgments
  • Monitoring logs showing no CUI access
  • SSP documentation explaining the risk-based rationale for each CRMA group
The CRMA category is a legitimate tool — but it requires evidence, not just a policy statement. The more CRMAs you claim, the more documentation you need to justify them.

How do CUI enclaves and VLAN segmentation reduce CMMC scope?

⚠ Flat Network — High Cost
CUI Server — Stores CUI
HR Laptop — No CUI role
Mfg. PC — Factory floor
Entire network in scope
All 3 devices assessed against all 110 controls — including the HR laptop that never touches CUI.
✓ VLAN Segmented — Low Cost
CUI Enclave — In Scope
🔒 Firewall / VLAN Barrier
HR Laptop — CRMA
Mfg. PC — Out of Scope
Assessment shrinks to enclave only
HR laptop and Manufacturing PC become CRMAs or Out-of-Scope assets.
Figure: Flat network vs CUI enclave with VLAN segmentation — logical isolation reduces the number of assets assessed against all 110 CMMC controls.

The most powerful cost lever in CMMC is not cheaper controls — it is fewer assets that need controls. Three approaches work reliably:

  • The CUI enclave approach: Confine all CUI to a small, FedRAMP Moderate-authorized environment like Microsoft GCC High. Everything outside the enclave becomes Out-of-Scope or CRMA. The assessment evaluates only the enclave.
  • VLAN segmentation: Place CUI Assets on a dedicated VLAN with firewall rules blocking CRMA access. Technical controls support CRMA classifications and reduce assessor sampling.
  • Physical controls: Rooms displaying CUI on screens need window covers, privacy filters, and cipher-lock access documented in the SSP. Visual display is processing.
  • Strict need-to-know: Every person and system removed from CUI access is a potential reclassification from CUI Asset to CRMA or Out-of-Scope.

The Bottom Line

Start by building a complete asset inventory that categorizes every person, device, system, and facility into the five CMMC asset categories. Create a data flow diagram showing how CUI enters, moves through, and exits your environment. Build a network diagram showing VLANs, firewalls, and enclave boundaries. Verify all three documents tell the same consistent story and cross-reference them in your SSP. For every CRMA, document the specific technical controls (VLAN ACLs, access restrictions) and policy controls (signed AUP) that prevent CUI access.

Before engaging a C3PAO: finalize your asset inventory, data flow diagram, and network diagram. Verify that every asset is categorized, every CUI path is mapped, and every CRMA justification is documented with technical evidence. Cross-reference all three artifacts in your SSP. The assessment begins with scoping — get it right first.

Related Articles

CMMC Enclaves: Scope Reduction with SegmentationCMMC Remote Work ScopingSecurity Protection Data (SPD): Why Logs Expand Your ScopeFCI vs CUI for CMMC: Identification and MarkingsHow to Write a CMMC System Security Plan (SSP)