Browse Skills

CMMC Assessment Scoping

    CMMC NIST DoD Compliance Scoping
    Get Started with This Skill

    Overview

    Define CMMC assessment scope, authorization boundary, and network architecture for Level 1 or Level 2. Documents in-scope assets and network diagram narrative for the SSP.

    Getting Started

    Add your source materials to the project workspace, then activate the CMMC Assessment Scoping skill. The agent will guide you through the process step by step.

    Example Conversation

    You: We’re going for CMMC Level 2 and need to document our assessment scope and network diagram. Our CUI lives in our internal file share and in a cloud app we use for contract management.

    Agent: I’ll help you define the CMMC boundary and in-scope assets. For Level 2 we need: (1) CUI assets — systems that process, store, or transmit CUI; (2) security protection assets — systems that protect CUI (e.g. firewalls, IAM, logging); (3) contractor risk-managed assets if you’re including any by choice. I’ll load the scoping guide and draft a boundary description. Do you have a network diagram we can reference, or should I describe the architecture from your description?

    You: We have a simple diagram — corporate LAN, DMZ with the contract app, and the file server on the internal segment. No separate test environment with CUI.

    Agent: I’ve drafted cmmc-scope.md with: (1) Authorization boundary — corporate LAN (internal segment + DMZ), including the contract management app, file server, domain controllers, and boundary firewall; (2) In-scope asset types — CUI assets: file server (FS-01), contract management app (CloudApp); security protection: firewall (FW-01), domain controllers (DC-01, DC-02), SIEM collector; (3) Network diagram narrative describing segments, data flow for CUI (user → file share, user → contract app), and interconnections. Out of scope: guest Wi‑Fi, test lab (no CUI). You can feed this into the SSP and asset inventory skills next.

    Sample Output Excerpt

    Below is a representative excerpt from a CMMC scoping document.

    Authorization Boundary

    The CMMC Level 2 assessment boundary includes all systems that process, store, or transmit CUI or that provide security protection for those systems.

    In scope:

    • Internal segment: File server FS-01 (CUI file share), domain controllers DC-01 and DC-02 (authentication, group policy), workstations used to access CUI.
    • DMZ: Contract management application (SaaS proxy / on-prem component) — CUI processed here; boundary firewall FW-01.
    • Security protection: FW-01 (boundary protection), DC-01/DC-02 (identification and authentication), SIEM collector (audit logging).

    Out of scope: Guest Wi‑Fi network; development/test environment (no CUI); building access control system (no CUI processing).

    Network Diagram Narrative

    Data flows for CUI: (1) User workstations → FS-01 (SMB) for file share access; (2) User workstations → FW-01 → Contract management app (HTTPS) for contract data. All CUI traffic remains within the boundary or to the designated cloud app. Internal clocks synchronized via NTP to DC-01.

    Ready to let your expertise drive the workflow?

    Stop wrestling with rigid templates and complex tooling. Write your process in markdown, let the agent handle the rest.

    Get Started