CMMC, Scoping

Is Your CMMC Scope Correct? Try the Free Scope Checker Tool

May 8, 2026May 8, 2026By 0 comments0 likes
Scope Checker tool

Struggling to scope your CMMC Level 2 assessment? The new CMMC Scope Checker from Wrightbrained Security’s CMMC Compliance Engine can help change that. This free tool analyzes your assets against DoD guidelines, ensuring you focus controls only where CUI lives, saving time and money.

For many defense contractors, the most stressful part of CMMC isn’t just implementing the controls, it’s figure out exactly where those controls need to go. Determining your assessment boundary can feel like trying to hit a moving target, and getting it wrong can lead to a failed assessment, or at the very least, a more expensive one.

In CMMC Level 2, every asset in your organization falls into one of five categories:

  • CUI Assets: Anything that processes, stores, or transmits CUI.
  • Security Protection Assets (SPAs): Systems that provide security functions to CUI assets (like firewalls, MFA, or your MSP).
  • Contractor Risk Managed Assets (CRMA): Assets capable of handling CUI but not intended to; these require documentation but not full assessment.
  • Specialized Assets: Items like IoT, OT, or Government Furnished Equipment.
  • Out-of-Scope Assets: Assets that have zero interaction with CUI and provide no security protections.

Knowing which “bucket” each system lives in is the foundation of an efficient assessment. If an asset is labeled a CUI Asset, every applicable Level 2 security requirement, from audit logging to encryption, will be tested on it.

The CMMC Scope Checker tool is designed to give you a practical view of what assets are likely in your scope.

Try the CMMC Scope Checker Tool

Easy to use

FREE

TRY IT

Note: This tool provides educational guidance only. It is intended to help you prepare, but it does not replace the official advice of a C3PAO, legal counsel, or your internal compliance team. Your final scope must always be validated against your actual CUI data flows and system security plan (SSP)

The Hidden Traps the Tool Helps You Find

Many organizations make the mistake of assuming their boundary is smaller than it actually is. Our Scope Checker uses branching logic to walk you through common “gotchas” that often catch contractors off guard:

  • The VDI Leak: A virtual desktop can shrink your scope, but only if you actually keep the CUI inside the environment. If users can copy data to a local clipboard or print to a home printer, that local laptop just became a CUI Asset.
  • The Email Ingress Point: Email is one of the most overlooked CUI paths. If CUI sits in a mailbox, the entire email service and the user accounts involved are in scope.
  • The Physical Boundary: Scope isn’t just digital. If CUI is discussed in a conference room or shown on a screen in an open office, that physical space and the devices in it (like VOIP phones) may come into scope.
  • The M365 Commercial Trap: Many contractors assume using Microsoft 365 is enough. However, the Commercial tier is not FedRAMP authorized for handling CUI under DFARS 252.204-7012; you typically need GCC High for these workloads.


Check Out the Scoping Tool and provide us with your feedback. We would like to improve it’s functionality.
A smaller, well-defined boundary means fewer assets to test, less evidence to produce, and a faster assessment.

If you need documentation created by a Lead Assessor, you’re in luck:

Check out the CMMC Compliance Engine

If you need help determining your scope or with assessment readiness or preparation, get in touch with us:

← Back

Thank you for your response. ✨

Leave a Reply

Your email address will not be published.

Social Share Buttons and Icons powered by Ultimatelysocial