Every CMMC Level 2 engagement starts the same way: someone hands us a network diagram and says, "Here's our CUI boundary." And almost every time, the boundary is wrong.
Not because the IT team is incompetent. Because CUI scoping is genuinely harder than most organizations expect, and the consequences of getting it wrong cascade through every phase of the compliance program. Draw the boundary too wide and you're implementing 110 controls across systems that don't need them, burning budget and extending your timeline. Draw it too narrow and your C3PAO will find CUI outside the assessed environment on assessment day. Neither outcome is recoverable on the spot.
Most organizations start scoping by identifying the systems that store CUI. That's step one, but it's maybe 40% of the picture. CUI doesn't just sit in a file share. It moves. It gets emailed. It gets downloaded to laptops, discussed in meetings, printed, copied to USB drives (even when policy says otherwise), and forwarded to subcontractors.
A complete scope requires tracing CUI through every phase of its lifecycle in your environment: where it enters (contract deliverables, supplier data, government-furnished information), where it's processed (applications, collaboration tools, engineering systems), where it's stored (file servers, cloud storage, email archives, endpoint drives), and where it exits (transmittals to customers, destruction, archival).
If you can't map that full lifecycle on a whiteboard, your boundary is a guess.
A CUI boundary drawn around servers and applications misses the pathways between them. Email is the most common gap. An engineer receives a CUI-bearing attachment, downloads it to their workstation, attaches a modified version to a new email, and sends it to a colleague on a different subnet. Every one of those hops touches a system. If any of those systems sits outside your boundary, you have an assessment problem.
CUI scoping isn't just a technical exercise. People create, access, modify, and share CUI. If your scope doesn't account for who touches CUI and how they're trained to handle it, you'll have policy gaps that assessors will find. This is especially true in organizations where CUI handling responsibilities span multiple departments: engineering, contracts, program management, and sometimes HR or legal.
Managed enclaves are excellent tools for isolating CUI processing. But they don't eliminate scoping. CUI still enters and exits the enclave. Users still access the enclave from endpoints. Data still flows between the enclave and other systems during normal business operations. The enclave narrows your scope; it doesn't remove the need to define it.
We start every engagement with a data flow workshop, not a technology inventory. We sit down with the people who actually handle CUI (engineers, program managers, contracts staff) and walk through how information moves through their day. Where does it come from? What do they do with it? Where does it go next?
From that conversation, we build a CUI data flow diagram that maps every entry point, processing system, storage location, and exit point. That diagram becomes the foundation for the System Security Plan boundary and drives every scoping decision downstream.
It's not glamorous work. But it's the single highest-leverage activity in the entire compliance program. Get scoping right, and everything that follows, controls implementation, documentation, evidence collection, is built on solid ground. Get it wrong, and you're building a compliance program on assumptions that your assessor will test on day one.
If you're early in your CMMC journey, resist the urge to jump into controls implementation before scoping is complete. Spend the time to trace CUI through your environment, document the flows, and validate the boundary with the people who handle the data every day. It will save you months of rework and, potentially, a failed assessment.
Take our 3-minute Readiness Check and get an instant gap summary based on your environment.
Start Readiness Check →
An independent firm focused exclusively on CMMC compliance for defense contractors and the DIB.