Scoping: The First and Most Overlooked Step in CMMC Compliance

From The Cyber-Minute with Terry McGraw, CEO, Cape Endeavors

In a recent episode of The Cyber Minute, Terry McGraw, CEO of Cape Endeavors, addressed one of the most critical—but frequently misunderstood—steps in achieving Cybersecurity Maturity Model Certification (CMMC) compliance: scoping.

Scoping is the foundational activity that defines the boundaries of a defense contractor’s compliance environment. Yet, according to McGraw, many organizations attempt to bypass this vital step, eager to jump straight into implementing solutions. The problem? Without properly defining the scope of Controlled Unclassified Information (CUI) within your environment, any attempt at compliance is premature—and potentially flawed.

Why Scoping Matters

McGraw emphasizes that scoping is not just a checklist item—it's the bedrock upon which the entire CMMC compliance strategy is built. Skipping this step can lead to wasted time, misallocated resources, and, ultimately, failed assessments.

“Scoping determines the size, scale, and effort required to get compliant,” McGraw explained. “It’s about understanding where CUI lives, how it’s processed, and what systems or individuals touch it.”

This understanding is essential because CMMC compliance hinges on securing all assets that interact with CUI. That includes not just storage locations but also systems that transmit, view, or even print CUI. For example, printing CUI on a local printer brings the printer and potentially its network into scope—along with any endpoint devices connected to it.

Five Key Asset Categories

During the episode, McGraw outlines five critical asset categories that must be evaluated during the scoping process:

1. CUI Assets – Systems directly involved in storing or processing CUI.

2. Security Protection Assets – Tools and infrastructure (like firewalls and encryption systems) used to protect CUI.

3. Contractor Risk Managed Assets – Systems that the contractor decides to include or exclude based on a formal risk assessment.

4. Specialized Assets – Equipment with unique functions that may require tailored security controls.

5. Out-of-Scope Assets – Devices and systems confirmed to have no interaction with CUI and are properly isolated.

Understanding how each asset category relates to the handling of CUI is essential in defining what must be secured under CMMC guidelines.

The VDI Example: Scope by Design

McGraw provides a practical example: viewing CUI on a laptop or desktop places that device in scope. However, using a Virtual Desktop Infrastructure (VDI) can limit exposure and reduce the number of in-scope assets. In a VDI setup, CUI is stored and processed on a central server, and endpoint devices merely serve as access terminals. This architectural decision can significantly simplify compliance efforts.

"Unless you’re using a VDI or other approved virtual environment, any device that views CUI becomes part of your compliance environment," McGraw cautions.

Scoping Determines Strategy

At its core, scoping is a strategic exercise. It helps organizations plan effectively, reduce unnecessary complexity, and focus their compliance efforts where it matters most. For contractors managing lean IT environments or trying to limit audit scope, this can be a game-changer.

Cape Endeavors works closely with clients to guide them through this initial phase, helping identify where CUI lives and ensuring that all relevant systems are properly documented and secured.

Don’t Skip the First Step

McGraw closes with a clear warning: skipping scoping is one of the most common—and costly—mistakes contractors make when pursuing CMMC compliance.

"Scoping is incredibly important to do correctly. It helps you determine the size, scale, and effort required to get your CMMC compliance knocked out,” he said.

For defense contractors aiming to meet today’s cybersecurity standards and secure their role in the federal supply chain, proper scoping isn’t optional—it’s essential.

Need help with CMMC compliance? Contact us to learn how Cape Endeavors helps defense contractors simplify and accelerate their path to CMMC readiness.