Skip to main content
Compliance Guidance

Before the Assessor Shows Up: The Five CMMC Asset Categories That Define Your Scope

With CMMC Phase 2 four months out, contractors are booking C3PAO assessments — but most haven't correctly drawn the boundary the assessor will actually test.

Brandon Hancock, J.D., CMMC-RPPublished July 9, 2026Updated July 9, 20267 min read

With CMMC Phase 2 four months out, contractors are booking C3PAO assessments — but most haven't correctly drawn the boundary the assessor will actually test.

The single most consequential decision in a CMMC Level 2 assessment happens before the assessor ever logs in: how you categorize your own assets. Under 32 C.F.R. § 170.19 and DoD's CMMC Scoping Guide – Level 2 (Version 2.13), every system, service, and piece of equipment in your environment sorts into one of five categories — and that category determines whether it gets assessed against all 110 NIST SP 800-171 requirements, a subset, or none at all. Get the categorization wrong and you either hand the assessor a boundary broader than the contract requires or, worse, leave CUI-touching assets outside the scope entirely.

The five categories

DoD's guidance maps every asset in your environment into one of these buckets:

CUI Assets — anything that processes, stores, or transmits CUI. These are assessed against all 110 Level 2 security requirements. This is the core of your boundary.

Security Protection Assets — assets that provide security functions to your CMMC scope without necessarily touching CUI themselves: a SIEM, a hosted VPN service, the SOC monitoring your environment. These are assessed only against the Level 2 requirements relevant to the function they provide.

Contractor Risk Managed Assets (CRMAs) — assets that could process, store, or transmit CUI but are prevented from doing so by your own security policy and practices, and that don't need to be physically or logically separated from CUI assets. If your System Security Plan (SSP) documents them adequately, the assessor doesn't test them further — unless something in the documentation raises a question, in which case a limited check follows.

Specialized Assets — IoT and IIoT devices, operational technology, Government Furnished Equipment, restricted information systems, and test equipment. These can touch CUI but can't fully implement NIST SP 800-171 by design. The assessor reviews the SSP to confirm they're managed under your risk-based practices; they are not assessed against the individual security requirements.

Out-of-Scope Assets — assets that cannot process, store, or transmit CUI and provide no security protection to CUI assets, typically because they're physically or logically separated. No documentation obligation, no assessment.

Why the categorization is where compliance programs actually fail

Two mistakes account for most scoping problems. The first is treating "risk-managed" as a synonym for "ignore it" — a CRMA still has to be inventoried, documented in the SSP, and diagrammed; it's exempt from routine testing, not from the paperwork. The second is under-documenting separation: an asset is only Out-of-Scope if it's actually cut off — physically or logically — from CUI assets and provides them no security function. An unsegmented laptop that merely "shouldn't" touch CUI is not automatically out of scope; the burden is on the organization to show the separation, not assume it.

External Service Providers add a further wrinkle. A managed service provider or cloud vendor is pulled into your assessment scope if it stores, processes, or transmits CUI or Security Protection Data on your behalf — and if it's a cloud service provider handling CUI, it must independently meet the FedRAMP-equivalent requirements referenced in DFARS 252.204-7012. An ESP that's pure staff augmentation, using your infrastructure, generally isn't captured the same way. Sorting this out — and documenting it in your SSP and network diagram — is exactly the kind of pre-assessment work a C3PAO expects to see finished, not started, on day one.

Why this matters now

CMMC Phase 2 requirements begin taking hold for new DoD solicitations in November 2026. Assessment scope isn't something a C3PAO defines for you — the Organization Seeking Assessment specifies it before the engagement begins, and a scope that's too broad or too narrow either inflates your assessment cost and timeline or leaves you certified against the wrong boundary. Scoping is also not a one-time exercise: significant architecture changes, network expansions, or a merger or acquisition can require a new assessment even under an existing SSP.

Key Takeaways

  • Every asset in your environment falls into one of five categories — CUI Asset, Security Protection Asset, Contractor Risk Managed Asset, Specialized Asset, or Out-of-Scope Asset — and the category, not intent, determines what gets assessed.
  • "Risk-managed" and "specialized" still require documentation — asset inventory, SSP treatment, and a network diagram — even when they're exempt from full testing.
  • Out-of-scope status must be demonstrated, not assumed — separation from CUI assets, physical or logical, is the organization's burden to show.

Start your own boundary review with Find My Requirements, see how scoping feeds into the broader frameworks contractors face, review the Phase 2 timeline on the CMMC Phase 2 deadline post, and build your documentation with the compliance program builder and checklists.

Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the founder and principal advisor of GovConCyber. His advisory approach is shaped by roughly six years as a U.S. Army human intelligence collector, where information accuracy, source protection, classification discipline, need-to-know access, and controlled reporting were daily requirements. He brings that information-discipline mindset to GovConCyber's work helping government contractors understand and comply with federal cybersecurity obligations.

Was this post helpful?