Scoping Requirements in CMMC AssessmentsTheCMMC 2.0 Scoping GuideandCMMC Assessment Process (CAP) Documentclearly define what should be included in the scope of an assessment.
The assessment scope must cover:
All assets that process, store, or transmit FCI/CUI
Security Protection Assets (ESP)– these assets help protect FCI/CUI, such as firewalls, endpoint detection systems, and encryption mechanisms.
Thus, thecorrect scope includes both:
✅FCI/CUI Assets(Data storage, processing, or transmission assets)
✅Security Protection Assets (ESP)(Firewalls, security tools, etc.)
A. All assets documented in the business plan❌Incorrect.Business plans may include assets unrelated to FCI/CUI, making this scopetoo broad. Only assets relevant to FCI/CUI should be assessed.
B. All assets regardless if they do or do not process, store, or transmit FCI/CUI❌Incorrect. CMMC doesnotrequire organizations to include assets thathave no connection to FCI/CUI.
C. All entities, regardless of the line of business, associated with the organization❌Incorrect.Only the assets relevant to FCI/CUI or security protection should be assessed. Unrelated business divisions (like a non-federal commercial division) areout-of-scope.
Why the Other Answers Are Incorrect
CMMC 2.0 Scoping Guide – Level 1 & Level 2
CMMC Assessment Process (CAP) Document
CMMC Official ReferencesThus,option D (All assets processing, storing, or transmitting FCI/CUI and security protection assets) is the correct answeras per official CMMC assessment scoping requirements.
