The CMMC Level 2 scoping worksheet
Before you secure a single requirement, you sort every asset into one of five categories from the official Scoping Guide. Get this right and Level 2 shrinks from your whole company to one enclave. Here is the worksheet, in plain English.
The five asset categories
Walk every laptop, server, phone, cloud app, and person in your business and drop each into exactly one bucket below. What lands in scope is what you have to secure and evidence.
CUI Assets
Anything that processes, stores, or transmits Controlled Unclassified Information: the laptops, servers, apps, and people that actually touch CUI.
How it is treated: In scope. Assessed against all applicable Level 2 requirements.
Security Protection Assets
Systems that provide security functions to the CUI environment even if they never touch CUI themselves: your SIEM, MFA provider, VPN, or a security MSP's tooling.
How it is treated: In scope. Assessed against the requirements relevant to the protection they provide.
Contractor Risk Managed Assets
Assets that can, but are not intended to, handle CUI, and that you choose to manage with policy rather than full technical control.
How it is treated: In scope, but assessed against your policies. Document them and manage the risk.
Specialized Assets
Government furnished equipment, IoT and OT, test equipment, and restricted information systems that cannot fully meet the requirements.
How it is treated: In scope, managed via your SSP and risk based decisions. Documented, not fully assessed.
Out of Scope Assets
Systems physically or logically separated from CUI, with no ability to reach it. Your marketing laptop that never touches a defense contract lives here.
How it is treated: Out of scope. Not assessed, provided the separation is real and demonstrable.
Let the platform sort your assets for you
Answer plain questions and the Level 2 Accelerator classifies every asset into the five categories, builds your inventory and CUI data flow, and shows exactly what falls in scope, before you spend a dollar securing the wrong things.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
Questions, answered
Why does scoping matter so much for CMMC Level 2?+
Scope decides how many systems, people, and places get assessed against 110 requirements. A business that lets CUI touch everything must secure everything. A business that isolates CUI to one enclave only has to secure that enclave. Scope is the single biggest driver of both cost and effort at Level 2.
What is a CUI enclave?+
An enclave is a deliberately small, separated environment where all your CUI lives and is worked, walled off from the rest of your business. Building one is the most common way small contractors shrink Level 2 scope from their whole company down to a handful of assets.
What are the five asset categories?+
The official CMMC Level 2 Scoping Guide sorts every asset into one of five categories: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out of Scope Assets. Each is treated differently in the assessment. The worksheet above walks all five.
How do I know which category something belongs in?+
Answer plain questions about what each system does and whether it can reach CUI. The platform does exactly this, sorting your inventory into the five categories from your answers and producing the asset list an assessor expects, so you never guess.