CMMC: Scoping the Environment

Scoping determines the boundaries where Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) are stored, processed, and exchanged within the Department of Defense (DoD) contractor’s environment. If scoping is not done accurately, then the entire network and business functions may be in scope for a CMMC assessment, and may be prohibitively expensive to protect the entire organization.

Getting started on the right foot

There is no official guidance on how to scope an environment for the protection of CUI/FCI while stored, processed, and exchanged. The DOD is actively working to publish scoping guidance for CMMC assessments. The intent of this white paper is not to go into every detail for the contractor to architect its CMMC boundaries, but instead to provide a high level overview of the foundational components that define what portions of a contractor’s environment are in scope for an assessment. Contact us for more information on scoping for your environment.

Scoping Objective

The overall objective of scoping is to outline the logical, physical, and functional boundaries for conducting operations to ensure that FCI/CUI data is protected. Scoping includes documenting facilities, areas, systems, applications, and services in the organization that are within the scope of NIST SP 800-171 and CMMC compliance. The intent is to isolate CUI/FCI where possible to reduce the footprint for what is in scope for a CMMC assessment for certification.


Scoping can be viewed in eight major zones with architecture tailored to organization size, complexity, and contractual requirements for protecting CUI/FCI. Zone 1, known as the “Secure Enclave,” handles CUI/FCI storage, processing, and transmission. The zones’ overlap depends on the contractor’s design and implementation of software, systems, personnel, and services, and how they interact with CUI/FCI in the Secure Enclave. Creating an isolated environment for CUI/FCI storage, processing, and transmission requires planning and forethought.

Zone 1: CUI/FCI – Zone 1 contains the applications, software, systems, personnel, and services that directly store, process, and exchange CUI/FCI. This data must be stored and processed from within a secure enclave. Some organizations call this zone the “Secure Enclave.”

Zone 2: Segmented – Zone 2 is designed to ensure that the Secure Enclave is self-contained and does not allow any access to uncontrolled areas via segmentation to logically isolate it from the rest of the organization. Properly designing and implementing segmentation will reduce the scope of a CMMC assessment.

Zone 3: Security Tools and Support – Zone 3 is designed to provide security services, people, processes, and technologies to protect, monitor, and respond to issues that may impact the Secure Enclave. Depending on the role of the security services and/or tools, this zone can be in or out of scope, typically dependent on access control policies. Implementation of security tools should be based on the concept of defense in depth. Managed service providers can fall into this zone.

Zone 4: Connected – Zone 4 are systems, applications, personnel, or services that have either a direct or indirect connection to the Secure Enclave. If these have the potential to impact the Secure Enclave, then they are in scope. Managed service providers can fall into this zone.

Zone 5: Enterprise-Wide – Zone 5 is the organization’s enterprise information security program that is required to implement and maintain the Non-Federal Organization (NFO) controls in Appendix E of NIST SP 800-171 Revision 2.

Zone 6: Out of Scope – Zone 6 is the applications, software, systems, personnel, and services that are completely isolated from the Secure Enclave. These components do not store, process, and exchange CUI/FCI and are considered out of scope.

Zone X: Third Party Service Provider – Zone X contains those contractors and subcontractors that are a part of supply chain services and must meet contractual flow-down security requirements. The role that services play will depend on if they can directly or indirectly impact the Secure Enclave.

Zone Y: Contractor / Subcontractor – Zone Y is a party to the execution of the contract where the contractor is also storing, processing, and transmitting CUI/FCI. This zone is named Y due to the possibility that a contractor or its subcontractor can fall into other zones depending on its role. The contractor will always be in scope for CMMC.

Redspin’s CMMC Services won the 2023 Cybersecurity Excellence Award for best National Cyber Defense Cybersecurity Industry Solution.

Redspin, an early adopter of working with Cyber-AB to help define the program is the first Authorized CMMC C3PAO and is a RPO.

About Redspin

Redspin, a division of Clearwater, has become one of the most trusted cybersecurity companies for the Defense Industrial Base. Our exclusive focus on tailoring our CMMC assessment, training, consulting, and managed services for each client delivers peace of mind by lowering the risk of a security incident or breach, and meeting/maintaining compliance regulations. Since our founding in 2001, we’ve become a thought leader in IT security, helped countless clients control their security risk, develop their security strategy, and avoid a breach headline.

Have questions regarding your CMMC journey? Are you interested in connecting with Redspin for a focused conversation about your company’s strategy?


Talk with our CMMC experts


Book a meeting to start your CMMC journey by filling out the form below