← Custodia

CMMC Level 1 Scoping — How to Draw the Boundary (Free Worksheet) — 2026

Scoping is the single most expensive decision in CMMC Level 1. Here's how to draw a defensible boundary in 20 minutes — and a free worksheet to write it down.

By David Fuentes· Compliance Officer, CustodiaMay 13, 20266 min read

Why scoping is the 90% lever

Every CMMC dollar you spend is multiplied by the size of your scope. If you treat “everything in the company” as in-scope, you owe the 15 controls on every laptop, every cloud app, every room, every joiner. If you scope carefully, a typical 6-person defense contractor has 3 laptops, 2 cloud apps, and one network in scope.

Scoping is also the area where consultants extract the most margin — a 30-minute scoping conversation often becomes a $4,000 line item. It shouldn't. Here is what the work actually looks like.

The five things to scope

  1. People who touch FCI. Names and roles. Not every employee — only those who handle, view, or store federal contract info.
  2. Devices that touch FCI. Laptops, desktops, phones, tablets, on-prem servers. Identified by hostname or serial.
  3. Cloud apps that store, transmit, or process FCI. Email is almost always in. CRM — depends. Accounting — usually out.
  4. The network and physical area. Which Wi-Fi, which firewall, which physical room.
  5. External connections. VPNs to primes, B2B portals, MSP remote access.

What can legitimately be out of scope

  • A phone or laptop that never touches federal contract info or your work email
  • The bookkeeping computer if it's on its own login and doesn't hold FCI
  • A guest Wi-Fi that's isolated from the work network
  • A shared printer with no scanned FCI in its history
  • Personal phones if you don't allow work email on them

Drawing the boundary diagram

A boundary diagram is a sketch that shows what's inside the boundary (in scope) and what's outside. A typical one for a small contractor:

  • A box labeled “In-scope work area” with the 3 laptops, the work Wi-Fi, the firewall.
  • An arrow to “M365 / Email” in the cloud.
  • Outside the box: guest Wi-Fi, personal phones, the front desk computer.
  • An arrow showing the connection to your prime's portal.

Pencil on paper is fine. So is Lucidchart or draw.io or a screenshot of a whiteboard. What matters is clarity.

Get the free worksheet

The Custodia scoping worksheet walks you through all five elements with tables to fill in and signature blocks: Open the worksheet →

Or follow the full DIY path: The Free DIY CMMC Level 1 Handbook.

FAQ

What is FCI?

Federal Contract Information. It's information provided by or generated for the government under a contract, not intended for public release. Examples: contract performance status, proposal drafts, technical specifications shared with you for delivery. See our CUI vs FCI guide for the line between FCI (Level 1) and CUI (Level 2).

Can I exclude a laptop from scope?

Yes — if it never touches FCI. The receptionist's laptop, the bookkeeper's laptop used only for QuickBooks, the warehouse tablet used only for inventory: these can be out of scope if they're segregated. Document the segregation in your scoping worksheet.

Do I need a fancy network diagram?

No. At Level 1 a pencil sketch is acceptable evidence. What matters is that someone unfamiliar with your company can look at it and understand where FCI lives, who can access it, and where the boundary stops.

Keep reading
  1. CMMC Level 1
    CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors

    The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.

    Read →
  2. CMMC Level 1
    DoD Cybersecurity Requirements: A Plain-English Guide for Non-Technical Business Owners

    You're not an IT person. You won a contract. The prime is asking weird questions. Here's exactly what they need, in English, without the acronym soup.

    Read →
  3. CMMC Level 1
    CMMC vs NIST 800-171: The Difference Most Small Contractors Get Wrong (2026)

    CMMC and NIST 800-171 are not the same thing. The difference decides whether your weekend is 5 days of paperwork or a $50K assessment.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)