CMMC 2.0 · Level 2

Avoiding CMMC Scope Creep Starts Here

The more systems and users in scope, the more complex compliance becomes. Understanding how CUI moves through your environment is the first step to reducing risk, cost, and assessment effort.

110 controls · 320 assessment objectives

The 110 controls are the core CMMC security requirements your organization must meet. The 320 assessment objectives are the validation checks assessors use to confirm those requirements are fully implemented.

These results are for readiness planning only and do not constitute a CMMC assessment, certification, legal opinion, or C3PAO determination.

The Clock is Ticking

As CMMC enforcement expands, organizations that wait may face longer assessment queues, compressed remediation timelines, and increased operational complexity.

Enforceable in contractsNov 2025
Assessments requiredNov 2026
You Are Here
⚠️ Delaying preparation increases scheduling risk & C3PAO availability drops

Nov 2025

CMMC requirements broadly enforced in DoD contracts

Now

Define your current scope and identify risk areas

Nov 2026

Third-party assessments required and limited C3PAO availability expected

Before We Begin

Three concepts drive everything in CMMC scope. Click each to understand what it means and why it matters.

Click any concept to explore

🔒
CUI
Controlled Unclassified Information
Sensitive government information that requires safeguarding — such as technical drawings, contract data, engineering files, manufacturing details, or program documentation. If your organization handles this data, CMMC requirements apply.
💻
Endpoints
Devices that access or store CUI
Any device that accesses, stores, or shares CUI — including laptops, mobile devices, tablets, and other connected systems. If CUI touches it, it falls within scope and is subject to CMMC controls.
Scope
Your CMMC compliance boundary
The boundary of systems, users, devices, and environments subject to CMMC requirements. As CUI spreads across people and technology, scope expands — increasing compliance effort and assessment complexity.

CMMC scope is determined by where CUI lives, moves, and who can access it. In many organizations, CUI gradually spreads across systems, users, vendors, and devices, expanding compliance obligations far beyond the original environment.

Do you handle any of these types of data?

Emails, shared drives, internal notes, storage devices
CAD files, blueprints, purchase orders, specs, data marked CUI
Inventory lists, diagrams, system architecture, export-controlled data

Where does CUI exist or move?

Select all systems that store, process, or transmit CUI in your organization.

✉️
Email
🗂️
Shared Drives
📋
Internal Notes
💾
Storage Devices
📤
File Transfer Platforms
🏭
ERP Systems

Select all that apply · at least one required

Scope Map

CUI

Which devices access your CUI?

Select all endpoints that connect to or store data from your in-scope systems.

💻
Laptop
📱
Mobile Device
Smart Watch
🔋
Personal Device
Tablet

Scope Map

CUI

Who outside your org has access?

Select any third parties that connect to, manage, or interact with your CUI environment.

🖥️
MSP
👤
External Admin
🔗
3rd Party Integration
🏢
Supplier
☁️
Cloud-Based Tools

Scope Map

CUI

Is your CUI contained?

Organizations that confine CUI to a controlled enclave typically reduce assessment scope, operational burden, and ongoing compliance effort.

Controlled Enclave
Smaller Scope
Fewer Systems to Secure
Reduced Documentation Effort
Distributed Environment
Expanded Scope
More Systems / Users in Assessment
Higher Operational Burden

Allowing CUI to exist across general business systems often increases security overhead, documentation requirements, and assessment timelines.

Are you prepared to document and defend your compliance?

CMMC Compliance
Documentation

You must be prepared to demonstrate:

  • Policies — the rules your organization follows
  • System Security Plan (SSP) — how these rules are implemented
  • POA&Ms — gaps that remain and how they will be resolved

An SSP alone commonly exceeds 300 pages — heavily reviewed during a third-party assessment.

The more CUI spreads, the more evidence your organization must document, maintain, and defend during assessments.

Exostar

Your Results Are Ready.

Enter your work email to download your personalized scope assessment results and recommendations.

Key Definitions
CUI
Controlled Unclassified Information — federal information requiring safeguarding per law, regulation, or policy, but not classified.
CMMC
Cybersecurity Maturity Model Certification — a DoD framework requiring defense contractors to meet specific cybersecurity standards.
Scope
The boundary of systems, people, and processes that must comply with CMMC controls — determined by where CUI lives and flows.
Scope Creep
The unintentional expansion of your CMMC compliance boundary, caused by CUI touching more systems than planned.
Endpoints
Devices — laptops, phones, tablets — that access or store data. If they touch CUI, they are in scope.
C3PAO
Certified Third-Party Assessment Organization — the authorized body that conducts official CMMC assessments.
SSP
System Security Plan — describes your security environment and how CUI is protected. Often 300+ pages.
MSP
Managed Service Provider — a third-party that manages your IT systems. If they touch CUI systems, they may be in scope.
POA&M
Plan of Action & Milestones — identifies security gaps and your plan to address them.