Same 110 controls. Your scope sets the timeline.

Two contractors get the same flow-down letter from the same prime. Both handle Controlled Unclassified Information. Both face the identical CMMC Level 2 requirement: 110 security controls drawn from NIST SP 800-171, assessed by a third party.

One of them is assessment-ready in about four months. The other is still grinding eleven months later, burning consultant hours and missing bid windows.

The difference is almost never effort, budget, or talent. It is a decision both of them made on day one, often without realizing they were making it: how much of their business they put inside the assessment boundary.

CMMC is sold to contractors as a controls problem, a checklist of 110 things to implement. That framing is what traps small contractors. The controls are fixed. They are the same for a 12-person machine shop and a 2,000-person prime. What is not fixed, and what you actually control, is the number of systems, people, and processes those 110 controls have to cover. That number is your scope, and scope is set before you implement a single control.

Why this is the decision that matters in 2026

The pressure is real and it has a date on it. CMMC Phase 2 begins November 10, 2026. From that point, a Level 2 certification assessment by a Certified Third-Party Assessment Organization (C3PAO) becomes a condition of award for contracts involving CUI, under the program established in 32 CFR Part 170 and the contract clause rule in 48 CFR. Self-attestation stops being enough for those contracts.

Industry estimates for getting a typical small contractor ready for a Level 2 assessment run six to twelve months. That range is not padding. It is engineering work, documentation, evidence collection, and remediation. And the assessor pipeline is already congested, with C3PAOs in many regions booking six to nine months out. (We broke down that scheduling crunch separately in the C3PAO capacity wall.)

Put those two facts together and the conclusion is uncomfortable. The months you spend in prep are the months that decide whether you get a certified slot before the deadline. Anything that legitimately cuts your prep time is not a nice-to-have. It is the difference between bidding and sitting out.

The single biggest lever on prep time is scope. Not because tight scoping skips any control, but because it shrinks the surface those controls have to cover, and a smaller surface is faster to harden, document, and prove.

The five buckets that decide your scope

CMMC scoping is governed by 32 CFR 170.19. For a Level 2 assessment, subsection (c)(1) sorts every asset in your environment into one of five categories, and each category carries a different burden.

The five CMMC asset categories under 32 CFR 170.19(c)(1)

CUI Assets process, store, or transmit Controlled Unclassified Information. These are the core of your scope, and they are assessed against all 110 Level 2 requirements. A laptop that opens a CUI email, a server holding contract drawings, a cloud folder with CUI files, all of it lands here. Anything that touches CUI, even temporarily, belongs in this bucket.

Security Protection Assets do not necessarily handle CUI, but they protect the assets that do. Your firewall, SIEM, identity provider, and endpoint detection tools sit here. They are in scope and assessed against the requirements relevant to the protection they provide.

Contractor Risk Managed Assets can, in principle, access CUI but are not intended to, and you manage that risk through policy. These are documented and justified rather than assessed against the full control set, but the key word is justified. Each one needs a written rationale for why it is not being treated as a CUI asset.

Specialized Assets include things like operational technology, IoT devices, government-furnished equipment, and test gear. They are documented with limited assessment expectations.

Out-of-Scope Assets neither handle CUI nor connect to the assets that do, and they are kept separate physically or logically. They are not assessed at all.

Here is the whole game in one sentence: your job during scoping is to legitimately move as many assets as possible down that list, and especially out of the top bucket. Every asset you keep out of CUI scope is a set of controls you do not have to implement, document, and defend on that asset. Scope reduction is not a loophole. It is the intended design of the rule.

Sprawl versus enclave: the same work, two boundaries

This is where the four-month contractor and the eleven-month contractor split.

The eleven-month contractor lets CUI sprawl. It arrives by email, lands on a shared drive everyone can reach, gets opened on any laptop, and copied into general-purpose tools. Because CUI is everywhere, almost everything becomes a CUI asset. The 110 controls now have to cover the entire company, including the marketing team’s machines and the sales department’s SaaS stack.

The four-month contractor builds an enclave: a controlled, segmented environment, physical or logical, where CUI is allowed to live and nowhere else. Everything outside the boundary is deliberately kept clean of CUI, which pushes it into the lower buckets or out of scope entirely.

Sprawled CUI versus an enclave: scope is the cost lever

The payoff is large. CMMC consultancies that build these boundaries for clients report that a well-designed CUI enclave can cut assessment scope and cost by roughly 50 to 70 percent, because you are hardening and documenting a fraction of your environment instead of all of it. Hosting CUI in a purpose-built government cloud such as Azure Government or AWS GovCloud, logically separated from the rest of your network, is one of the most common ways small contractors achieve this.

That is the core argument. The contractor who decides where CUI is allowed to go, before implementing anything, is solving a much smaller problem than the contractor who tries to secure the whole company.

The trap: a boundary you cannot actually defend

Scoping is powerful, which is exactly why it is the most common place assessments go sideways. Two failure modes show up again and again.

The first is drawing the boundary too narrow without the technical enforcement to back it up. If your SSP claims a tight CUI enclave but your network actually lets CUI flow outside it, an assessor can expand your scope on day one. Now you are being assessed on systems you never prepared, with the clock running and no time to fix it. A boundary is only as real as the segmentation, access controls, and data-flow restrictions that enforce it.

The second is documentation that does not match reality. Under 32 CFR 170.19(c), you must maintain an asset inventory of every in-scope asset and a network diagram showing the CMMC Assessment Scope boundary. Both are reviewed before the assessment formally begins. Your System Security Plan is where every scope decision gets recorded, and every Contractor Risk Managed Asset needs that explicit written rationale. Assessors probe this. Inconsistencies between the SSP, the asset inventory, and the actual network diagram are among the most common reasons assessments stall.

So the discipline cuts both ways. Tight scope wins you months, but only if the boundary is enforced and documented well enough to survive a C3PAO who is paid to push on it.

What to do this week

You do not need a consultant to start. You need an honest inventory and a decision.

  1. List every asset that touches CUI today. Email, file shares, laptops, servers, cloud apps, printers, the lot. Be ruthless and specific. This single list usually reveals how far CUI has already sprawled.
  2. Decide where CUI is allowed to live. Pick the smallest defensible footprint that still lets people do the work. That footprint is your enclave.
  3. Sort every remaining asset into one of the five categories. What can be moved out of the CUI bucket through segmentation or policy? What genuinely belongs in scope?
  4. Write down the boundary. Draft the asset inventory, the network diagram, and the scope section of your SSP together so they agree with each other and with reality.
  5. Then, and only then, start implementing controls, against the smaller, defined scope you just drew.

Do this in the right order and the 110 controls become a manageable project against a known surface. Do it backwards, implementing controls while CUI keeps spreading, and you get the eleven-month version.

The bottom line

CMMC Level 2 gives every contractor the same 110 controls. It does not give every contractor the same amount of work. The variable is scope, and scope is a decision you make at the start, governed by the five asset categories in 32 CFR 170.19. Draw the boundary tight and enforce it, and you are solving a small problem with months to spare before the Phase 2 deadline. Let CUI sprawl, and you are securing your whole company against a closing clock.

Scoping starts with an honest asset inventory. The CMMC Level 2 Asset Scoping Worksheet walks every asset through the five 32 CFR 170.19 categories and flags what your SSP and network diagram are still missing.

If you are building the full readiness path, the CMMC Level 2 Readiness Kit bundles the scoping worksheet with the SSP template, POA&M tracker, and evidence tracker, the scoped-scored-scheduled sequence in one place. It is built for the small contractor running this without a dedicated compliance team.

Want the control set itself as a reference? The NIST 800-171 Quick-Reference Checklist covers all 110 controls across the 14 families for $29.

Sources: 32 CFR Part 170, specifically 170.19 (CMMC scoping) and 170.19(c)(1) (Level 2 asset categories); DoD CMMC Scoping Guide, Level 2; NIST SP 800-171; 48 CFR CMMC contract clause rule (Phase 2 effective November 10, 2026). Enclave scope-reduction figures reflect estimates reported by CMMC assessment practitioners.