The CMMC Level 1 scoping worksheet.
Scoping is the single most expensive decision in CMMC. Get it right and your work shrinks 90%. Get it wrong and you secure your entire company when you only needed to secure a corner of it.
- 20 min
- To complete
- 1
- Boundary you defend
- 90%
- Less work if scoped right
What scoping is
Scoping means drawing a line around the people, devices, networks, and cloud apps that touch Federal Contract Information (FCI). Anything inside the line has to meet the 15 CMMC L1 controls. Anything outside does not.
The mistake everyone makes: treating everything in the company as in-scope. A 6-person shop with one federal contract often has 3 laptops, 2 cloud apps, and a firewall in scope, not 20 systems.
The contracts that trigger CMMC for you
List every active federal contract or subcontract that references FAR 52.204-21 or contains FCI. If none, you don't need CMMC L1 yet.
| Contract / PO # | Prime or agency | FAR 52.204-21? | Contains CUI? |
|---|---|---|---|
If any rowsays yes to “Contains CUI?”, you need CMMC Level 2, not Level 1. Stop here and see CUI vs FCI.
People who touch FCI
Every person whose job involves opening, editing, emailing, or filing FCI. Front desk staff who only stamp envelopes usually aren't in scope; the project lead and engineers usually are.
| Name | Role | Why they need access | Access type |
|---|---|---|---|
Devices in scope
Any laptop, desktop, phone, or server that processes, stores, or transmits FCI.
| Device (make / model) | Assigned to | OS | MFA / antivirus on? |
|---|---|---|---|
Cloud apps & external connections
Email, file storage, accounting, project management, vendor portals, anything cloud-hosted where FCI lives or travels.
| App / service | What it holds | MFA enforced? | Owner |
|---|---|---|---|
Network & physical boundary
Boundary diagram, draw it
On the grid below, sketch your boundary. Inside the box: in-scope people, devices, cloud apps. Outside: everything else. A 30-second drawing is a 100% acceptable Level 1 diagram.
Out of scope, declared
Anything that does nottouch FCI. Listing this explicitly protects you when a prime asks “is X part of your assessment boundary?” The answer is on file.
Specialized assets, excluded by rule
Under 32 CFR 170.19(b)(2), Specialized Assets, IoT and IIoT devices, Operational Technology (a CNC cell, shop-floor machines), Government Furnished Equipment, Restricted Information Systems, and Test Equipment, are not part of your Level 1 assessment scope even if they touch FCI, because they cannot be fully secured. You do not assess them against the 15 requirements. Listing them here keeps your boundary honest when a prime asks about them.
| Asset | Type (IoT / OT / GFE / restricted IS / test equip.) | How it touches FCI |
|---|---|---|
VDI note: a computer that only runs a virtual desktop (VDI) client, configured so no FCI is processed, stored, or transmitted on it beyond the keyboard, video, and mouse feed, is out of scope entirely (32 CFR 170.19(b)(2)(i)). No documentation required.
Sign-off
I confirm that the scope defined above accurately reflects the systems, people, and information that touch federal contract information at our organization, and that anything not listed has been intentionally excluded.
