CMMC Level 1 Scoping: How to Figure Out What's In and What's Out

Most of the Level 1 mistakes we see aren’t control mistakes. They’re scoping mistakes that were never named as scoping mistakes. A contractor walks into self-assessment thinking the question is “do we meet the 15 requirements.” The actual first question is the one nobody asked. What’s in scope.

The scoping decision sits underneath every other Level 1 decision. Cost, effort, who needs training, which systems get hardened, what the senior official is affirming under FAR 52.204-21. If scoping is wrong, every downstream answer drifts. If scoping is right, the rest of Level 1 is a manageable piece of work.

This piece walks the Level 1 methodology cleanly. The core question, the four categories the regulation calls out, the specialized assets that get treated differently, the mistakes that cost contractors the most, and the pre-assessment work that determines how the self-assessment actually goes. It’s the L1 counterpart to the CUI boundary scoping guide, which covers the Level 2 problem.

The Core Scoping Question

Level 1 scoping rests on one binary. The CMMC Level 1 Scoping Guide and 32 CFR § 170.19(b) frame it the same way. For every asset in your environment, ask: does this asset process, store, or transmit Federal Contract Information.

Yes means in scope. No means out of scope. The five-category model that complicates Level 2 scoping (CUI assets, security protection assets, contractor risk managed assets, specialized assets, out-of-scope assets) collapses at Level 1 to a near-binary: either FCI touches the asset, or it doesn’t. The one exception the regulation preserves is specialized assets, which get set aside rather than assessed, covered below.

That simplification is the gift of Level 1. It’s also the trap. Because the question is binary, contractors assume the answer is obvious. It usually isn’t.

FCI is defined narrowly in FAR 52.204-21 as information not intended for public release that’s provided by or generated for the Government under a contract to develop or deliver a product or service. Public press releases don’t count. Marketing materials don’t count. Unsolicited proposals don’t count. What does count: the actual contract you’re performing on, the technical content the contracting officer sends you, the deliverable artifacts you produce for the Government before they’re published. Most contractors hold less FCI than they assume.

The methodology, then, is asset-by-asset. Walk your environment. For each thing the regulation cares about (people, technology, facilities, external service providers), apply the binary. The yes-pile is your assessment scope.

People

People are scoped by role, not by org chart.

The question is whether this person processes, stores, or transmits FCI as part of their work. A contracts manager who reads task orders containing FCI is in scope. An accounting clerk who only sees invoices is not. A program manager who handles the Government’s technical input is in scope. The HR generalist who handles benefits enrollment is not.

What gets contractors into trouble here is the assumption that everyone in a “defense-side” team is in scope by default. They aren’t. A 30-person defense contractor often has six to ten people who actually touch FCI and twenty who don’t. The twenty don’t need Level 1 training, don’t need to sign acceptable use against the in-scope systems, and don’t appear in the scope letter. Treating them as in-scope inflates the assessment surface for no reason.

The reverse mistake costs more. Treating contractors and temporary staff as out of scope because they’re not on payroll. The regulation doesn’t distinguish. If a 1099 consultant has access to systems where FCI lives, that person is in scope. The contracting relationship doesn’t change the scoping answer.

Technology

Technology gets the longest treatment in 32 CFR § 170.19 for a reason. It’s where most of the scope decisions live, and it’s where the assumptions go bad fastest.

The binary still holds. Does this system process, store, or transmit FCI. But “system” needs to be unpacked, because contractors run dozens of systems and the FCI footprint usually sits in three or four of them.

Process means the system actively works on FCI. A workstation where someone opens a contract document. A laptop where an estimator builds a proposal using Government-provided technical data. A printer with FCI in its job queue.

Store means FCI sits in the system at rest. A file server folder. A SharePoint site. A backup tape. A USB drive in a desk drawer with archived contract files on it.

Transmit means FCI moves through the system. An email server carrying a message with FCI in it. A cloud sync service moving the file from a laptop to a shared library. A managed file transfer appliance handing off documents to a Government endpoint.

Apply the three verbs to each system and the in-scope list emerges. What surprises most contractors at this stage isn’t how many systems make the list. It’s how many don’t. The marketing CMS doesn’t process FCI. The expense management tool doesn’t store FCI. The chat platform sometimes does and sometimes doesn’t, depending on whether contract content gets shared there. Each system gets its own answer.

A worked technology scope often looks like this. Two laptops belonging to the contracts officer and a program manager. One file share. One email tenant (and a defensible argument about whether the tenant is in scope wholesale or only the mailboxes of in-scope users). One backup system. That’s the scope. The other forty-seven IT assets are doing other work for the business and aren’t part of Level 1.

Facilities

Facilities scope at Level 1 is narrower than most contractors expect.

The question shifts slightly: where in this facility is FCI processed, stored, or transmitted. The answer is rarely “the whole building.” It’s usually a few workstations, a server closet or rack, and a printer.

What this means in practice is that the physical access control under PE.L1-b.1.viii (FAR 52.204-21(b)(1)(viii), which limits physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals) applies to the in-scope physical spaces, not to the whole site. A contractor with three in-scope desks in a 50-person office locks down the three desks and the area immediately around them. Not the whole floor. Not the reception area.

Remote workers complicate the answer. If an employee handles FCI from a home office, that home office is an in-scope facility. The contractor doesn’t own the building, but the regulation still applies. The practical answer is usually a written agreement, a clean desk practice, and a locked storage assumption. Documenting the constraint is the point. The square footage isn’t.

Field facilities (warehouses, manufacturing floors, depot maintenance bays) are scoped the same way. If FCI passes through the space (a printed work order, a tablet showing contract specs, a kiosk displaying a Government drawing), the space is in scope. If FCI never reaches the space, it isn’t.

External Service Providers

ESPs are the category contractors most often get wrong, and the regulation has been progressively tightening around them.

The definition of an External Service Provider lives in 32 CFR § 170.4: external people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on its behalf. The L1 scoping rule, 32 CFR § 170.19(b)(3), then directs the OSA to consider the people, technology, facilities, and external service providers within its environment that process, store, or transmit FCI. The cleanest example is a cloud productivity provider where contract documents sit in a hosted mailbox or document library. That provider is an ESP, and at Level 1 it is in scope when it touches FCI.

What “in scope” means for an ESP differs from what it means for an internal asset. The OSC doesn’t assess the ESP’s controls directly. The OSC does have to confirm the ESP is providing services in a manner consistent with the relevant requirements, and the OSC’s senior official is the one signing the affirmation. That puts an obligation on the OSC to understand what the ESP actually does, what it commits to, and what slips through.

The recurring failure mode is treating every vendor as an ESP. It isn’t. A payroll provider that handles W-2 data isn’t an ESP for FCI purposes (no FCI flows there). A janitorial company isn’t an ESP (no FCI processing). The ESP determination is the same binary as everything else. Does this third party process, store, or transmit FCI on our behalf. Yes means in scope, with a customer responsibility breakdown. No means out of scope, and the relationship lives outside Level 1.

The other failure mode is the opposite. Treating a cloud provider as fully responsible for the FCI controls because the provider is FedRAMP authorized or claims CMMC alignment. The provider’s posture doesn’t transfer. The OSC remains the affirming party. A shared responsibility matrix is the artifact that resolves who does what.

Specialized Assets

Level 1 treats specialized assets differently from everything else, and the difference cuts the opposite way from what most contractors expect. 32 CFR § 170.19(b)(2)(ii) names a specific set, Internet of Things (IoT) and Industrial IoT (IIoT) devices, Operational Technology (OT), Government-furnished equipment, Restricted Information Systems, and Test Equipment, and places them outside the Level 1 assessment scope. They are not assessed against the Level 1 requirements, even when they process, store, or transmit FCI.

The carve-out exists because these devices often run constrained software environments that can’t support conventional security tooling. The obligation is to identify them and document their role in the scope, not to assess them. This is the one place where Level 1 scoping isn’t a clean FCI binary: a specialized asset can handle FCI and still sit outside the assessed surface. The Level 2 treatment differs again, and a separate piece covers it in depth.

Common Scoping Mistakes

Across the Level 1 self-assessments we’ve watched contractors run, three patterns repeat.

Over-scoping is the most common. The contractor treats the whole enterprise as in scope because nobody drew the line. The result is a 200-asset scope when the actual FCI footprint is eight assets. Cost, effort, and ongoing maintenance all scale with the size of the scope, so over-scoping is paid for forever. Drawing the boundary deliberately is a one-time cost that pays back permanently.

Under-scoping is rarer but more damaging. The contractor knows where some of the FCI lives, scopes those systems, and misses adjacent flows. The classic version is the email tenant. FCI shows up in attachments, but the contractor scopes only the file share, not the email path. Under-scoping looks fine until an assessor (or, more painfully, a False Claims Act inquiry) finds the flow that wasn’t on the diagram.

The third pattern is mixed scoping inside a single category. Treating some workstations as in scope and others as out of scope without a defensible architecture between them. If two in-scope laptops sit on the same network segment as twenty out-of-scope laptops with no controls separating the two, the boundary is fictional. The assessor will read the boundary as encompassing everything on the segment, which puts twenty laptops back in scope. Either separate them with controls or scope them all together. The middle position doesn’t survive scrutiny.

Where Deep Fathom sees the over-scoping pattern most often is in contractors who skipped the pre-assessment walkthrough. The boundary never got drawn, so by default it encompasses everything anyone could imagine touching contract work. Half a day with a whiteboard would have shrunk the scope by 70 percent and cut the assessment effort accordingly.

What to Do Before the Self-Assessment Starts

Pre-Phase 1 work is where Level 1 either becomes a manageable project or a sprawling one. Three things, in order.

First, find the FCI. Walk the contracts list, identify which contracts include FAR 52.204-21, and follow the FCI flow from the moment it enters the business. Email from a contracting officer. Documents from a teaming partner. Generated artifacts produced for the Government. The list is usually shorter than people expect.

Second, map the FCI to assets. For each FCI source, identify the people who touch it, the systems it lives in, the facilities it passes through, and the ESPs that move it. The output is a scoping diagram or a structured table. The format doesn’t matter as much as the act of producing it.

Third, write the scope down. The Level 1 self-assessment relies on the OSC’s senior official affirming compliance under penalty of False Claims Act exposure. That signature is more defensible when there’s a documented scope behind it. A two-page scope statement, signed and dated, is the artifact you’ll want six months later when somebody asks how you decided what was in.

Two adjacent pieces sit downstream. The 110 controls map covers what changes when a contractor crosses from Level 1 into Level 2 territory. The DFARS 252.204-7012 guide covers how the contract-clause obligations interlock with the certification posture. And the Level 1 isn’t a free pass piece covers why even narrow scopes still warrant real readiness work.

Scoping isn’t a step in Level 1 readiness. It’s the foundation everything else stands on, and the cost of getting it right is small relative to the cost of getting it wrong. Get scoping right and Level 1 is fifteen requirements applied to a defined surface. Get it wrong and Level 1 is whatever you let it become.