The CMMC Level 2 scoping worksheet

Before you secure a single requirement, you sort every asset into one of five categories from the official Scoping Guide. Get this right and Level 2 shrinks from your whole company to one enclave. Here is the worksheet, in plain English.

Last updated July 4, 2026~7 minute readPrimary sources cited
5
Asset categories in the Scoping Guide
1
Enclave can cut scope dramatically
110
Requirements that apply only in scope
#1
Cost lever at Level 2

The five asset categories

Walk every laptop, server, phone, cloud app, and person in your business and drop each into exactly one bucket below. What lands in scope is what you have to secure and evidence.

CUI

CUI Assets

Anything that processes, stores, or transmits Controlled Unclassified Information: the laptops, servers, apps, and people that actually touch CUI.

How it is treated: In scope. Assessed against all applicable Level 2 requirements.

SPA

Security Protection Assets

Systems that provide security functions to the CUI environment even if they never touch CUI themselves: your SIEM, MFA provider, VPN, or a security MSP's tooling.

How it is treated: In scope. Assessed against the requirements relevant to the protection they provide.

CRMA

Contractor Risk Managed Assets

Assets that can, but are not intended to, handle CUI, and that you choose to manage with policy rather than full technical control.

How it is treated: In scope, but assessed against your policies. Document them and manage the risk.

SA

Specialized Assets

Government furnished equipment, IoT and OT, test equipment, and restricted information systems that cannot fully meet the requirements.

How it is treated: In scope, managed via your SSP and risk based decisions. Documented, not fully assessed.

OOS

Out of Scope Assets

Systems physically or logically separated from CUI, with no ability to reach it. Your marketing laptop that never touches a defense contract lives here.

How it is treated: Out of scope. Not assessed, provided the separation is real and demonstrable.

Let the platform sort your assets for you

Answer plain questions and the Level 2 Accelerator classifies every asset into the five categories, builds your inventory and CUI data flow, and shows exactly what falls in scope, before you spend a dollar securing the wrong things.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

Questions, answered

Why does scoping matter so much for CMMC Level 2?+

Scope decides how many systems, people, and places get assessed against 110 requirements. A business that lets CUI touch everything must secure everything. A business that isolates CUI to one enclave only has to secure that enclave. Scope is the single biggest driver of both cost and effort at Level 2.

What is a CUI enclave?+

An enclave is a deliberately small, separated environment where all your CUI lives and is worked, walled off from the rest of your business. Building one is the most common way small contractors shrink Level 2 scope from their whole company down to a handful of assets.

What are the five asset categories?+

The official CMMC Level 2 Scoping Guide sorts every asset into one of five categories: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out of Scope Assets. Each is treated differently in the assessment. The worksheet above walks all five.

How do I know which category something belongs in?+

Answer plain questions about what each system does and whether it can reach CUI. The platform does exactly this, sorting your inventory into the five categories from your answers and producing the asset list an assessor expects, so you never guess.

Source: CMMC Level 2 Scoping Guide v2.13 (DoD-CIO). Related: how scope drives cost · the 110 requirements.