Most defense contractors approach their CMMC Level 2 assessment backwards.
They spend months hardening systems, implementing controls, and building out their System Security Plan — then walk into the assessment with an incomplete CUI boundary, no documented scoping decisions, and a CUI inventory that doesn't match reality.
Assessors find it immediately. And when they do, everything else stops.
This post covers how to get CUI scoping right before an assessor ever sets foot in your environment.
Why CUI Scoping Fails Most Small Contractors
CUI scoping isn't a technical problem. It's a documentation and decision problem.
The CMMC assessment process requires you to demonstrate that you know:
- What CUI you have
- Where it lives
- How it flows through your environment
- Who can access it
- How it's protected at every point in its lifecycle
Most contractors can answer #1 loosely. Almost none can answer #2 through #5 with documented evidence.
The result is an assessment that stalls at the boundary definition phase — before a single NIST SP 800-171 control gets evaluated.
The COPR Framework: Does This Information Actually Qualify as CUI?
Before you can scope anything, you need to know what qualifies as CUI. The answer isn't "anything the government sends us."
Use the COPR test. All four conditions must be satisfied:
Created — Was this information created by or for a federal agency, or does it meet a CUI category definition?
Owned — Does a federal agency own this information or have a possessory interest in it?
Possessed — Do you currently possess this information in any form — digital, physical, transmitted?
Regulated — Is this information regulated under a specific law, regulation, or government-wide policy that requires protection?
If all four are true, it's CUI. If any one fails, it isn't — regardless of how sensitive it looks.
This matters because over-scoping is as dangerous as under-scoping. Contractors who treat all internal documents as CUI create an unmanageable control environment and can't maintain it through an assessment.
The Most Common Scoping Mistakes
1. Not consulting the CUI Registry
The NARA CUI Registry (cui.archives.gov) is the authoritative source for CUI categories. Your contract may reference specific categories — Controlled Technical Information (CTI), Export Controlled, Privacy — but many contractors never cross-reference what they receive against the registry to confirm it actually qualifies.
Check every CUI designation against the registry. Document the category and subcategory for each type of CUI you handle.
2. Treating the SSP boundary as the CUI boundary
Your System Security Plan defines the assessment boundary. Your CUI boundary defines what information within that boundary requires protection.
These are not the same thing.
A system can be in scope for the assessment without containing CUI. A system containing CUI must be in scope. Conflating the two creates gaps that assessors expose immediately.
3. Missing third-party flow-down
If you share CUI with subcontractors, vendors, or cloud service providers, that sharing must be documented and controlled. Flow-down requirements under DFARS 252.204-7012 apply to your entire supply chain.
Assessors will ask: "Where does this CUI go after it leaves your environment?" If you can't answer that with documentation, you have a gap.
4. No documented scoping decisions
It's not enough to have made good decisions about what's in scope. You must have documented evidence that you made those decisions, when you made them, and why.
"We discussed it in a meeting" is not evidence. A dated scoping memo, a completed boundary worksheet, or a documented determination attached to your SSP is evidence.
5. The CUI inventory doesn't match the SSP
Your CUI inventory should map directly to the systems and boundaries described in your SSP. If the inventory lists file shares that aren't in the SSP, or the SSP describes systems the inventory doesn't mention, assessors will flag the inconsistency and require reconciliation on the spot.
What a Defensible CUI Scoping Package Looks Like
Before your assessment, you should have:
- CUI Inventory — Every location where CUI exists, categorized by type, with system or location reference
- System Boundary Worksheet — Documented boundary definition with justification for what's in and out of scope
- Data Flow Diagram — How CUI enters, moves through, and exits your environment
- Third-Party Flow-Down Worksheet — Every external entity that receives CUI, with controls and contractual flow-down documented
- Scoping Decision Log — Dated record of scoping decisions with rationale
- SSP CUI Section — Completed CUI-specific sections of the System Security Plan that match the inventory and boundary
None of these are optional. Assessors will request all of them.
The November 10 Deadline
CMMC Phase 2 enforcement begins November 10, 2026. Contracts issued after that date for work involving CUI will require CMMC Level 2 certification — not self-attestation, actual third-party assessment.
For small defense contractors, the assessment window is already compressing. C3PAOs are booking out. Contractors who haven't started scoping yet are behind.
CUI scoping is the prerequisite for everything else. You can't harden systems you haven't identified. You can't protect information you haven't inventoried.
Start with the boundary. Document every decision. Build the inventory before you touch a control.
Resources
If you want a structured toolkit for working through this process — including the COPR decision framework, fillable inventory templates, system boundary worksheets, third-party flow-down documentation, and a completed SSP CUI section example — I built one specifically for small defense contractors navigating Level 2.
cuistandard.com — $199 one-time, instant download.
The 15-section reference guide and 10 fillable working documents give you the exact package an assessor expects to see.
CMMC Phase 2 enforcement starts November 10, 2026. The contractors who get through assessment cleanly will be the ones who started scoping early and documented everything.
Top comments (0)