NIST 800-171 & CMMC Scoping Guide  

Where Controlled Unclassified Information (CUI) exists is mostly driven by business processes, where technology is merely enabling that process to function. Oftentimes, security is an afterthought in those scenarios. Given that reality, the "owners" of the data and processes need to be intimately familiar with the systems, applications and services that go into making their business processes work, since CUI can dramatically impact the costs associated with that line of business. A well-designed and segmented network is the preferred method to address NIST 800-171/CMMC in a secure, efficient and cost-effective manner.

This guide provides a structured methodology for determining which systems, applications and services in a company’s IT infrastructure are within scope for NIST 800-171 compliance. This guide categorizes system components according to several factors:

  • Whether CUI is being stored, processed or transmitted;

  • The functionality that the system component provides (e.g. access control, logging, antimalware, etc.); and

  • The connectivity between the system and the CUI environment.


This NIST 800-171 scoping guide can be used by both large and small companies to help critically evaluate the system components that comprise the scope of assessment. The primary difference between large and small companies will be the number of system components that are evaluated.

   What This Guide Does Address  

Addressing the people, processes and technologies around CUI is a necessary part of any NIST 800-171 compliance program. This guide focuses on categorizing the system components that comprise a company's computing environment and helps with the following:

  • Assists in determining which system components fall in and out of scope.

  • Facilitates constructive communication between your company and a CMMC assessor by providing a reasonable methodology to describe your technology infrastructure and CUI environment.

  • Provides a means to categorize the various different types of assets, each with a different risk profile associated with it.

  • Provides a starting point to potentially reduce the scope of NIST 800-171 and CMMC by re-architecting technologies to isolate and control access to the CUI environment.

  • Non-Federal Organization (NFO) controls, found in Appendix E of NIST 800-171, are also included in scoping considerations to identify underlying security practices that are expected to exist. These secure practices support CUI security activities.

   What This Guide Does Not Address  

This guide does not define what NIST 800-171 controls and CMMC practices are required for each category. Since every company is different, it is up to each company and its assessor to determine the nature, extent and effectiveness of each control to adequately mitigate the risks to CUI.

   CUI Segmentation Considerations  

It is important to understand that without adequate network segmentation (e.g., a flat network) the entire network is in scope of NIST 800-171 and a CMMC audit. Network segmentation should be viewed as a very beneficial process to isolate system components that store, process, or transmit CUI from systems that do not. Adequate network segmentation may reduce the scope of the CUI environment and overall reduce the scope of a NIST 800-171 audit.


To eliminate ambiguity surrounding the term “segmentation” in terms of NIST 800-171 scoping, this guide uses one of the two following terms:

  • Isolation – No logical access. This is achieved when network traffic between two assets is not permitted.

  • Controlled Access – Logical access is permitted. This is achieved when access between assets is restricted to defined parameters.

    • Controlled access is more common than isolation.

    • Restrictions may include logical access control, traffic type (e.g., port, protocol or service), the direction from which the connection is initiated (e.g., inbound, outbound), etc.


Examples of mechanisms that provide segmentation include firewalls, routers, hypervisors, etc.

Disclaimer: This information is provided for educational purposes only. This website does not render professional services and is not a substitute for professional services. If you have compliance questions, you are encouraged to consult a cybersecurity professional.


© Compliance Forge, LLC (ComplianceForge). All Rights Reserved.

Compliance Forge, LLC (ComplianceForge) disclaims any liability whatsoever for any documentation, information, or other material which is or may become a part of the website. ComplianceForge does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of this website is assumed by the user.

ComplianceForge reserves the right to refuse service, in accordance with applicable statutory and regulatory parameters.