June 13, 2025 • 12 mins
Submit any questions you would like answered on the podcast!
Is your CMMC scope setting you up for success—or failure?
In this episode of the CMMC Compliance Guide, Brooke and Stacey from Justice IT Consulting break down one of the most misunderstood (and expensive) parts of your compliance journey: scoping.
Learn how to define your CUI boundary the right way, avoid common over-scoping mistakes, and streamline your assessment with clear documentation strategies. Whether you're prepping for a formal CMMC assessment or self-assessing for NIST 800-171, this episode gives you real-world insights that can save you time, money, and frustration.
🔍 We cover:
- What really defines your CMMC scope (it's more than just your server)
- The hidden risks of over-scoping and cloud blind spots
- Third-party service provider mistakes that can blow your scope
- Must-have documentation: data flow diagrams, network diagrams, and asset inventories
- A practical checklist to get your scope right before the audit
🛠 Need a faster path to compliance without cutting corners? Visit www.CMMCComplianceGuide.com for free resources, expert help, or to book a discovery call.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
SPEAKER_01 (00:00):
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Stacey.
SPEAKER_00 (00:04):
And I'm Brooke.
SPEAKER_01 (00:05):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free, so if you want to tackleit yourself, you're equipped to
do so.
Let's dive into today's episodeand keep your business on track.
(00:25):
Today, we're zeroing in on CMMCscoping.
And if you think it's just aboutchecking a box on your SSP,
think again.
Scoping mistakes can tank yourassessment, cost you tens of
thousands in rework, or evendisqualify you from contracts.
Let's unpack how to define yourboundary the right way.
Brooke, why do so manycontractors struggle with
(00:45):
scoping?
It seems like it should bepretty straightforward.
SPEAKER_00 (00:50):
It does seem like it should be pretty
straightforward.
You know, you think, which of mysystems should be in scope?
And generally, if you don'tthink about it too much, you
have a tendency to overscope andsay, you know, everything.
Especially if you're a small,medium-sized contractor, you
(01:11):
know, you have a tendency tooverscope a little bit.
So it's common to overscope.
That's just an easy thing todefault to.
So if you scope properly, andmaybe your whole environment
does have to be in scope, butyou really have to really take
(01:32):
everything into considerationand figure that out.
Otherwise, it will lead to morecost, longer audits, all sorts
of funds, and maybeunnecessarily higher cost or
longer audits.
SPEAKER_01 (01:46):
If we want to break this down simply, what are
Really,
SPEAKER_00 (01:52):
the things you need to take into account is it isn't
just where your CUI, yourdigital CUI resides.
You know, hey, it's my server.
My server's, you know, in scope.
It's going to be your data.
It's going to be the peoplewho...
(02:13):
Who access that?
It's going to be processes thattouch that data.
So those are going to be all thethings that touch it.
Whether you should create anenclave or not.
So if you can create any kind ofenclave where it makes your
in-scope environment smaller,That's always the best approach.
(02:34):
And then, of course, you alwayshave to figure out which really
kind of goes into processes,sort of.
But you always have to figure inyour third-party connections,
your cloud vendors or any otherpartner companies that might
have access to your data, anyother MSPs who might have access
to that data.
Those third-party connectionsreally matter.
SPEAKER_01 (02:56):
Let's get into some common mistakes.
What are some of the scenarioscontractors need to watch out
for?
SPEAKER_00 (03:02):
Well, the first...
The first mistake that you'vegot to watch out for, which is
really common, and probably 99%of everybody did this early on,
and it's overscoping, just as wetalked about a minute ago.
It's easy to say, well, I don'tknow exactly where I'm on my CUI
is, and we'll just sayeverything's in scope.
(03:23):
So overscoping is one of thecommon mistakes that people
make.
There's some cloud storage blindspots, I guess.
So there's some cloud storageblind spots.
Like you may forget that youupload or have something that
(03:45):
uploads and keeps data in anAmazon browser.
uh, Amazon, Amazon S3 bucket oranyway, something like that.
Um, you may forget aboutsomething like that, but so
you've got to really take a gooddata inventory and figure out
where things are at.
Uh, and then another one, uh, wekind of referenced a minute ago,
uh, really, uh, mostly inrelation to cloud providers or
(04:08):
cloud services.
Um, but as, uh, as asubcontractor or service
provider oversight.
So if there are any serviceproviders that have access to
your CUI, like backing it up,you know, something like that,
then those people will come inscope as well.
SPEAKER_01 (04:30):
When it comes to our favorite topic on the podcast,
documentation, what do assessorsexpect to see done right?
SPEAKER_00 (04:37):
So assessors are going to expect to see a network
diagram done properly, right,and comprehensively.
So most everybody's going tohave a network diagram, but
having a network diagram thatactually encompasses everything
that you have to keep in mindfor CUI and for CMMC compliance.
(05:00):
People don't normally have that,so you've really got to make
sure that you have a verycomprehensive network diagram in
place.
The other thing is assetinventories.
This isn't just your computersthat are on the network.
That's what most people thinkof.
(05:21):
It's easy to generate.
You spit a list out of ActiveDirectory or Azure Active
Directory or your remotemanagement monitoring solution,
something like that.
And people say, yep, here it is.
Well, that's really not it.
It's everything on that networkthat touches CUI that's in
scope.
(05:42):
or adjacent that you need toidentify.
And that's what an assetinventory is.
The other thing is going to be,and really the first thing you
should do, is a data flowdiagram.
You really need to have thatdata flow diagram to show where
your data comes from, where itgoes to, where it flows through
(06:03):
your systems, and where it flowsout of your systems.
And that really is the veryfirst thing you should do before
you even attempt to Spell theword scope is do a data flow
diagram because that helps youunderstand where everything's
at.
where it flows and everything soyou know what's in scope or it
(06:23):
also helps you realize that ohholy cow we probably need to
narrow our scope a little bitand we need to take care of this
data flow diagram and and um andbring less systems in into scope
right uh so there's that dataflow diagram is very very
important for scoping it's allit'll also be very important the
the assessors are going to wantto see the data flow diagram
SPEAKER_01 (06:46):
so brooke what's the broader business risk if
contractors Don't scopecorrectly.
SPEAKER_00 (06:51):
Well, so the broader risk is going to be that it
could lead to– if you overscope,it could lead to something– it
could lead to more– like wetalked about a minute ago, it
could lead to more time for theassessment, which means more
dollars.
(07:11):
Okay.
If you don't scope properly andthat's kind of figured out
during the assessment, thenmagically things will be brought
into scope that you didn't counton.
And that could lead to either amore costly assessment or more
likely a failed assessment.
(07:32):
So really, if you scopeproperly...
And you document everything, andyou document, document,
document.
I should have worn my document,document, document T-shirt, so
we gave some of those away at arecent conference, and they seem
to be a hit.
But if you document everything,you show where everything goes,
(07:54):
you do your data flow diagram,you tell your story about your
scope and why it's there, thennot only will you have done a
nice, thorough job of it, butyou're going to be able to and
be confident in the fact thatyou scope properly.
But when the assessor reads thatand sees your documentation,
they'll feel very confident too.
(08:15):
Because I can tell you, if theassessor doesn't feel confident
in anything, the scoping or dataflow diagram, whatever it may
be, but if they don't feelconfident in the scoping,
they're going to delve a littledeeper.
SPEAKER_01 (08:29):
So to give our listeners a little bit of some
actionable takeaways, what is agood checklist that our
listeners could follow to avoidthese common pitfalls
SPEAKER_00 (08:39):
with scoping?
So as far as the checklist goes,that you can kind of follow, you
start with your contract, right?
And any documents that you getthat may be labeled CUI, but you
need to figure out what kind ofCUI you have, what contracts
they're part of, right?
And so you can identify thattype of CUI and hopefully the...
(09:03):
data flow diagram where it goes.
You can walk your physicalspaces and tag your systems
visually so you can see whathandles CUI, and it's easy to
see.
Interview your teams, and thisway you can spot shadow IT, of
course.
(09:23):
But you also may realize thatthe way you imagine that they
are doing things they may notactually be doing them that way
and they may inform you thatthey do it a little bit
different and it either leavesomething out of scope that you
included and shouldn't have, orit may be that you have to
(09:44):
include something else in thescope, for instance.
So it's good to talk to yourteam members and make sure that
you really do understand howthings are being done.
So you could review, forinstance, you could probably
review your bills for cloudservices and then some of the
logs to identify where there maybe some CUI issues going, or if
(10:08):
it's something that you haven't,you know, if you identify, say,
hey, what's this Amazon billfor?
Or, well, I guess it could beall over the place, but, you
know, Amazon cloud servicesbill, what is this for?
I didn't think we did anything.
So review your bills, make sureyou know what you're paying for,
and then see if you've leftanything out of scope.
(10:29):
That's always a good thing tomake sure of.
And the last thing is documenteverything.
Again, documentation,documentation, documentation.
You've got to documenteverything, just a ton of
documentation.
Make sure it's comprehensive butconcise, I would say.
(10:51):
I know that can be at odds, butreally it needs to be nice and
comprehensive but not complex.
too lengthy, you need to keep itas concise as possible for your
own sake and for the assessor'ssake.
Because, you know, do you reallywant them to read through a SSP
(11:11):
that's, you know, 350 pageslong, you know?
And it may be so if you don'thave any policies, and that's
where all your policies are.
But generally, you should try tobe comprehensive, but make sure
everything is nice and concise.
SPEAKER_01 (11:29):
Looks like that wraps up today's episode.
If you have any questions aboutwhat we covered, please reach
out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions and we'll answer them
for free here on the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.
Stay tuned for our next episode.
(11:50):
Until then, stay compliant andstay secure.
Like, subscribe, and share.
Hey there, welcome to the CMMC Compliance Guide
Podcast.
I'm Stacey.
SPEAKER_00 (00:04):
And I'm Brooke.
SPEAKER_01 (00:05):
From Justice IT Consulting, where we help
businesses like yours navigateCMMC and NIST 800-171
compliance.
We're hired guns gettingcompanies fast-tracked to
compliance, but today we're hereto give you all the secrets for
free, so if you want to tackleit yourself, you're equipped to
do so.
Let's dive into today's episodeand keep your business on track.
(00:25):
Today, we're zeroing in on CMMCscoping.
And if you think it's just aboutchecking a box on your SSP,
think again.
Scoping mistakes can tank yourassessment, cost you tens of
thousands in rework, or evendisqualify you from contracts.
Let's unpack how to define yourboundary the right way.
Brooke, why do so manycontractors struggle with
(00:45):
scoping?
It seems like it should bepretty straightforward.
SPEAKER_00 (00:50):
It does seem like it should be pretty
straightforward.
You know, you think, which of mysystems should be in scope?
And generally, if you don'tthink about it too much, you
have a tendency to overscope andsay, you know, everything.
Especially if you're a small,medium-sized contractor, you
(01:11):
know, you have a tendency tooverscope a little bit.
So it's common to overscope.
That's just an easy thing todefault to.
So if you scope properly, andmaybe your whole environment
does have to be in scope, butyou really have to really take
(01:32):
everything into considerationand figure that out.
Otherwise, it will lead to morecost, longer audits, all sorts
of funds, and maybeunnecessarily higher cost or
longer audits.
SPEAKER_01 (01:46):
If we want to break this down simply, what are
Really,
SPEAKER_00 (01:52):
the things you need to take into account is it isn't
just where your CUI, yourdigital CUI resides.
You know, hey, it's my server.
My server's, you know, in scope.
It's going to be your data.
It's going to be the peoplewho...
(02:13):
Who access that?
It's going to be processes thattouch that data.
So those are going to be all thethings that touch it.
Whether you should create anenclave or not.
So if you can create any kind ofenclave where it makes your
in-scope environment smaller,That's always the best approach.
(02:34):
And then, of course, you alwayshave to figure out which really
kind of goes into processes,sort of.
But you always have to figure inyour third-party connections,
your cloud vendors or any otherpartner companies that might
have access to your data, anyother MSPs who might have access
to that data.
Those third-party connectionsreally matter.
SPEAKER_01 (02:56):
Let's get into some common mistakes.
What are some of the scenarioscontractors need to watch out
for?
SPEAKER_00 (03:02):
Well, the first...
The first mistake that you'vegot to watch out for, which is
really common, and probably 99%of everybody did this early on,
and it's overscoping, just as wetalked about a minute ago.
It's easy to say, well, I don'tknow exactly where I'm on my CUI
is, and we'll just sayeverything's in scope.
(03:23):
So overscoping is one of thecommon mistakes that people
make.
There's some cloud storage blindspots, I guess.
So there's some cloud storageblind spots.
Like you may forget that youupload or have something that
(03:45):
uploads and keeps data in anAmazon browser.
uh, Amazon, Amazon S3 bucket oranyway, something like that.
Um, you may forget aboutsomething like that, but so
you've got to really take a gooddata inventory and figure out
where things are at.
Uh, and then another one, uh, wekind of referenced a minute ago,
uh, really, uh, mostly inrelation to cloud providers or
(04:08):
cloud services.
Um, but as, uh, as asubcontractor or service
provider oversight.
So if there are any serviceproviders that have access to
your CUI, like backing it up,you know, something like that,
then those people will come inscope as well.
SPEAKER_01 (04:30):
When it comes to our favorite topic on the podcast,
documentation, what do assessorsexpect to see done right?
SPEAKER_00 (04:37):
So assessors are going to expect to see a network
diagram done properly, right,and comprehensively.
So most everybody's going tohave a network diagram, but
having a network diagram thatactually encompasses everything
that you have to keep in mindfor CUI and for CMMC compliance.
(05:00):
People don't normally have that,so you've really got to make
sure that you have a verycomprehensive network diagram in
place.
The other thing is assetinventories.
This isn't just your computersthat are on the network.
That's what most people thinkof.
(05:21):
It's easy to generate.
You spit a list out of ActiveDirectory or Azure Active
Directory or your remotemanagement monitoring solution,
something like that.
And people say, yep, here it is.
Well, that's really not it.
It's everything on that networkthat touches CUI that's in
scope.
(05:42):
or adjacent that you need toidentify.
And that's what an assetinventory is.
The other thing is going to be,and really the first thing you
should do, is a data flowdiagram.
You really need to have thatdata flow diagram to show where
your data comes from, where itgoes to, where it flows through
(06:03):
your systems, and where it flowsout of your systems.
And that really is the veryfirst thing you should do before
you even attempt to Spell theword scope is do a data flow
diagram because that helps youunderstand where everything's
at.
where it flows and everything soyou know what's in scope or it
(06:23):
also helps you realize that ohholy cow we probably need to
narrow our scope a little bitand we need to take care of this
data flow diagram and and um andbring less systems in into scope
right uh so there's that dataflow diagram is very very
important for scoping it's allit'll also be very important the
the assessors are going to wantto see the data flow diagram
SPEAKER_01 (06:46):
so brooke what's the broader business risk if
contractors Don't scopecorrectly.
SPEAKER_00 (06:51):
Well, so the broader risk is going to be that it
could lead to– if you overscope,it could lead to something– it
could lead to more– like wetalked about a minute ago, it
could lead to more time for theassessment, which means more
dollars.
(07:11):
Okay.
If you don't scope properly andthat's kind of figured out
during the assessment, thenmagically things will be brought
into scope that you didn't counton.
And that could lead to either amore costly assessment or more
likely a failed assessment.
(07:32):
So really, if you scopeproperly...
And you document everything, andyou document, document,
document.
I should have worn my document,document, document T-shirt, so
we gave some of those away at arecent conference, and they seem
to be a hit.
But if you document everything,you show where everything goes,
(07:54):
you do your data flow diagram,you tell your story about your
scope and why it's there, thennot only will you have done a
nice, thorough job of it, butyou're going to be able to and
be confident in the fact thatyou scope properly.
But when the assessor reads thatand sees your documentation,
they'll feel very confident too.
(08:15):
Because I can tell you, if theassessor doesn't feel confident
in anything, the scoping or dataflow diagram, whatever it may
be, but if they don't feelconfident in the scoping,
they're going to delve a littledeeper.
SPEAKER_01 (08:29):
So to give our listeners a little bit of some
actionable takeaways, what is agood checklist that our
listeners could follow to avoidthese common pitfalls
SPEAKER_00 (08:39):
with scoping?
So as far as the checklist goes,that you can kind of follow, you
start with your contract, right?
And any documents that you getthat may be labeled CUI, but you
need to figure out what kind ofCUI you have, what contracts
they're part of, right?
And so you can identify thattype of CUI and hopefully the...
(09:03):
data flow diagram where it goes.
You can walk your physicalspaces and tag your systems
visually so you can see whathandles CUI, and it's easy to
see.
Interview your teams, and thisway you can spot shadow IT, of
course.
(09:23):
But you also may realize thatthe way you imagine that they
are doing things they may notactually be doing them that way
and they may inform you thatthey do it a little bit
different and it either leavesomething out of scope that you
included and shouldn't have, orit may be that you have to
(09:44):
include something else in thescope, for instance.
So it's good to talk to yourteam members and make sure that
you really do understand howthings are being done.
So you could review, forinstance, you could probably
review your bills for cloudservices and then some of the
logs to identify where there maybe some CUI issues going, or if
(10:08):
it's something that you haven't,you know, if you identify, say,
hey, what's this Amazon billfor?
Or, well, I guess it could beall over the place, but, you
know, Amazon cloud servicesbill, what is this for?
I didn't think we did anything.
So review your bills, make sureyou know what you're paying for,
and then see if you've leftanything out of scope.
(10:29):
That's always a good thing tomake sure of.
And the last thing is documenteverything.
Again, documentation,documentation, documentation.
You've got to documenteverything, just a ton of
documentation.
Make sure it's comprehensive butconcise, I would say.
(10:51):
I know that can be at odds, butreally it needs to be nice and
comprehensive but not complex.
too lengthy, you need to keep itas concise as possible for your
own sake and for the assessor'ssake.
Because, you know, do you reallywant them to read through a SSP
(11:11):
that's, you know, 350 pageslong, you know?
And it may be so if you don'thave any policies, and that's
where all your policies are.
But generally, you should try tobe comprehensive, but make sure
everything is nice and concise.
SPEAKER_01 (11:29):
Looks like that wraps up today's episode.
If you have any questions aboutwhat we covered, please reach
out to us.
We're here to help fast trackyour compliance journey.
Text, email, or call in yourquestions and we'll answer them
for free here on the podcast.
You can find our contactinformation at
cmmccomplianceguide.com.
Stay tuned for our next episode.
(11:50):
Until then, stay compliant andstay secure.
Like, subscribe, and share.
Popular Podcasts
Bookmarked by Reese's Book Club
Welcome to Bookmarked by Reese’s Book Club — the podcast where great stories, bold women, and irresistible conversations collide! Hosted by award-winning journalist Danielle Robay, each week new episodes balance thoughtful literary insight with the fervor of buzzy book trends, pop culture and more. Bookmarked brings together celebrities, tastemakers, influencers and authors from Reese's Book Club and beyond to share stories that transcend the page. Pull up a chair. You’re not just listening — you’re part of the conversation.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!