Skip to content
LEVEL 2Compliance Solutions
CMMC

Three CMMC scoping mistakes that derail audits

L2CS · February 12, 2026

Before you write a policy, buy a tool, or call an assessor, you make one decision that determines the cost and difficulty of everything that follows: what is in scope. Scope is the set of people, systems, and facilities that store, process, or transmit CUI — plus the things that protect them. Get it right and the program is tractable. Get it wrong and you either overspend for years or fail an assessment on something avoidable.

Here are the three mistakes we see most.

1. Scoping the whole company

The instinct is to treat the entire network as in-scope "to be safe." It is the most expensive instinct there is. Every in-scope asset is something you must secure, document, monitor, and defend in an assessment. A 200-person company that scopes all 200 seats is signing up to harden 200 seats.

The fix is an enclave: a deliberately small, well-defined boundary where CUI actually lives, separated from the rest of the business. Done well, you take a company-wide problem and turn it into a project with edges.

2. Forgetting the assets that touch the boundary

The opposite error is drawing the enclave too cleanly and ignoring the systems that reach into it. Your security tooling, your identity provider, the laptop an admin uses to manage the enclave — these are in scope even if they never hold a CUI file, because compromising them compromises the boundary.

Missing these is how a confident team gets surprised in an assessment. The asset categories matter: CUI assets, security protection assets, and the contractor risk-managed assets around them each carry different obligations. Naming every asset and putting it in the right category is unglamorous work that prevents expensive surprises.

3. Treating people and paper as out of scope

Scope is not only technical. The people with access, the physical spaces where CUI is handled, and the procedures that govern both are part of the boundary. A spotless network does not help if CUI is printed and left on a desk, or if a subcontractor has standing access nobody documented.

How to get it right

Good scoping is a short, structured exercise, not a guess:

  1. Find the CUI. Trace where it enters, where it rests, and where it leaves.
  2. Draw the smallest defensible boundary around it.
  3. Inventory every asset that lives in, protects, or touches that boundary, and categorize each one.
  4. Write it down in the System Security Plan so the boundary is the same on paper as it is in reality.

That last point is where scope meets the SSP — which is exactly where we will pick up next month.

Not sure your boundary is drawn in the right place? That is the first thing a gap assessment settles. Start with a discovery call.

Related

Case StudyCMMC·May 21, 2026

Many programs, one posture: CMMC at an enterprise plastics supplier

Plastics injection molding supplier · ~$400M revenue · ~1,500 employees

A ~$400M injection-molding supplier with multiple programs and a mature IT org didn't lack security — it lacked an audit-ready, repeatable way to prove it. How a GRC operating model tied it together.

Read →
CMMC·May 14, 2026

GCC High, on-prem enclave, or hybrid? Choosing your CUI boundary

Where your CUI lives shapes cost, effort, and how many controls you inherit. A plain-English guide to the three common boundary models — and how to choose.

Read →

Want this for your program?

Start with a discovery call. We'll tell you where you actually stand on CMMC — and what it takes to get audit-ready.

Book a Discovery Call