Understanding CMMC Level 1 Scoping: A Plain Language Guide

A straightforward guide to defining your assessment scope for CMMC Level 1 compliance.

Pedogee

1/27/20262 min read

What is this guide about?

The CMMC Level 1 Scoping Guide helps contractors understand which parts of their business need to be assessed for cybersecurity compliance. Before you conduct a self-assessment, you need to know exactly what's being evaluated.

Who is this for?

This guide is for Organizations Seeking Assessment (OSAs)—contractors who will conduct a Level 1 self-assessment—and the professionals who support them.

What's "in scope" for your assessment?

Your assessment covers all assets that process, store, or transmit Federal Contract Information (FCI). Here's what that means:

Process You access, edit, generate, or print FCI
Store FCI sits on your devices, systems, or in paper files
Transmit You send or receive FCI between systems

If an asset touches FCI in any of these ways, it's part of your assessment.

What's "out of scope"?

Assets that never process, store, or transmit FCI are out of scope. They won't be assessed.

What about specialized equipment?

Some assets can handle FCI but can't be fully secured. These are called Specialized Assets and are not assessed at Level 1. They include:

  • Internet of Things (IoT) devices – Smart sensors, connected equipment

  • Operational Technology (OT) – Industrial control systems, building management

  • Government Furnished Equipment (GFE) – Items the government provides to you

  • Restricted Information Systems – Systems configured entirely for government requirements

  • Test Equipment – Hardware used to test products and deliverables

Four areas to consider when scoping

Think about FCI across these four categories:

1. People

Who handles FCI? This includes employees, contractors, vendors, and external service providers.

2. Technology

What systems touch FCI? Consider servers, computers, mobile devices, network equipment, applications, and databases.

3. Facilities

Where is FCI handled? Look at offices, server rooms, data centers, and manufacturing plants.

4. External Service Providers (ESPs)

Do outside companies manage your IT or cybersecurity? They may be part of your scope too.

When do you need a new assessment?

Your assessment is valid for a defined scope. You'll need a new assessment if you make significant changes like:

  • Expanding your network

  • Going through a merger or acquisition

Routine changes—like adding or removing resources within your existing boundary—don't require a new assessment. Just continue your annual affirmations.

Key takeaway

Before your Level 1 self-assessment, clearly identify everything in your environment that touches FCI. This defines your CMMC Assessment Scope and ensures you assess the right assets.

💡 Tip: While not required for Level 1, developing a System Security Plan (SSP) is recommended as a best practice.

Source: CMMC Scoping Guide – Level 1, Version 2.13 (September 2024)

Contact

Reach out for tailored cybersecurity support.

Email

[email protected]

© 2025. All rights reserved.