CustodiaCustodia.
Custodia · Free worksheet · 2026 edition

The CMMC Level 1 scoping worksheet.

Scoping is the single most expensive decision in CMMC. Get it right and your work shrinks 90%. Get it wrong and you secure your entire company when you only needed to secure a corner of it.

20 min
To complete
1
Boundary you defend
90%
Less work if scoped right

What scoping is

Scoping means drawing a line around the people, devices, networks, and cloud apps that touch Federal Contract Information (FCI). Anything inside the line has to meet the 15 CMMC L1 controls. Anything outside does not.

The mistake everyone makes: treating everything in the companyas in-scope. A 6-person shop with one federal contract often has 3 laptops, 2 cloud apps, and a firewall in scope — not 20 systems.

Section 01

The contracts that trigger CMMC for you

List every active federal contract or subcontract that references FAR 52.204-21 or contains FCI. If none, you don't need CMMC L1 yet.

Contract / PO #Prime or agencyFAR 52.204-21?Contains CUI?
    
    
    
    
    
    

If any rowsays yes to “Contains CUI?”, you need CMMC Level 2, not Level 1. Stop here and see CUI vs FCI.

Section 02

People who touch FCI

Every person whose job involves opening, editing, emailing, or filing FCI. Front desk staff who only stamp envelopes usually aren't in scope; the project lead and engineers usually are.

NameRoleWhy they need accessAccess type
    
    
    
    
    
    
    
    
Section 03

Devices in scope

Any laptop, desktop, phone, or server that processes, stores, or transmits FCI.

Device (make / model)Assigned toOSMFA / antivirus on?
    
    
    
    
    
    
    
    
Section 04

Cloud apps & external connections

Email, file storage, accounting, project management, vendor portals — anything cloud-hosted where FCI lives or travels.

App / serviceWhat it holdsMFA enforced?Owner
    
    
    
    
    
    
    
    
Section 05

Network & physical boundary

Internal work network (SSID / VLAN)
Guest Wi-Fi (separated?)
Firewall (make / model / where)
Physical work area (room / building)
Section 06

Boundary diagram — draw it

On the grid below, sketch your boundary. Inside the box: in-scope people, devices, cloud apps. Outside: everything else. A 30-second drawing is a 100% acceptable Level 1 diagram.

— — — In-scope boundary
□ Device / asset
○ Cloud app
Section 07

Out of scope — declared

Anything that does nottouch FCI. Listing this explicitly protects you when a prime asks “is X part of your assessment boundary?” The answer is on file.

Final section

Sign-off

I confirm that the scope defined above accurately reflects the systems, people, and information that touch federal contract information at our organization, and that anything not listed has been intentionally excluded.

Signature
Printed name & title
Date
Next review (12 months)
Custodia · bidfedcmmc.com · Built from 32 CFR 170.19 (CMMC scoping guidance) · Not legal advice
Built by Custodia

We give this away because we sell the easy version for $249/mo.

This scoping worksheetis genuinely complete and yours to keep. If you'd rather have the platform fill it in, collect the evidence, send the renewal reminders, and post your SPRS score for you — that's what we built.

Start the 7-day free trial →Keep going DIY →