What Systems Need to Be Secured for CMMC Level 2 (What Is CUI Scope)? – Managed IT Services & Cybersecurity for Businesses Across the Pacific Northwest

For manufacturers pursuing CMMC Level 2 compliance, only systems that store, process, or transmit Controlled Unclassified Information (CUI) need to be secured—but defining that scope correctly is critical. Most organizations can reduce compliance costs by 20–40% by properly scoping CUI environments instead of securing their entire network. For a 25–250 user manufacturer, CUI scoping typically takes 2–4 weeks and directly impacts both your cost and timeline to compliance.

The 3-Part Framework for Defining CUI Scope

Proper CUI scoping follows a structured approach:

1. Identify Where CUI Lives

File servers storing DoD data
Email systems transmitting CUI
ERP or engineering systems handling controlled data

2. Map How CUI Flows

Who accesses the data
Where it is transmitted
Which systems interact with it

3. Define the CMMC Boundary

Limit compliance to only necessary systems
Segment networks where possible
Reduce the number of in-scope users and devices

What Systems Are Typically In Scope for CMMC Level 2

Most manufacturers will need to secure:

File servers storing CUI
Workstations accessing CUI
Email systems transmitting controlled data
Identity systems (Active Directory, Azure AD)
Backup systems containing CUI

What Systems Can Be Out of Scope (If Done Correctly)

With proper segmentation, you can exclude:

HR systems
Accounting/finance platforms
Marketing systems
General business applications

👉 This is where most cost savings happen.

Why CUI Scoping Has the Biggest Impact on Cost

Improper scoping leads to:

Securing unnecessary systems
Overpaying for tools and licenses
Longer implementation timelines

Proper scoping:

Reduces users in scope
Minimizes tool deployment
Speeds up compliance

Example Scenario: 125-User Manufacturer Reducing Scope

Company Profile

125 employees
Handles CUI for DoD contracts
Initially believed entire network was in scope

Initial Situation

All systems included in compliance plan
Estimated cost: $220K+
Timeline: 12+ months

Scoping Process (3 Weeks)

Week 1:

Identified systems storing and processing CUI

Week 2:

Mapped user access and data flows

Week 3:

Segmented network and isolated CUI systems

Outcome

Reduced in-scope users from 125 → 45
Lowered projected cost to $140K
Shortened timeline to 8 months

Common CUI Scoping Mistakes

Avoid these critical errors:

Assuming entire network is in scope
Not mapping data flows
Ignoring shared systems
Failing to segment environments

How to Reduce Scope Without Increasing Risk

Follow this framework:

Isolate CUI systems into a defined enclave
Limit user access to only those who need it
Separate business and compliance environments
Validate scope before remediation begins

Trust Signals

When evaluating support, look for:

Experience scoping CUI environments
Proven cost reduction through segmentation
Deep understanding of NIST 800-171
Experience with DoD supply chain manufacturers

Bottom Line

CUI scoping is the single most important step in controlling your CMMC Level 2 cost and timeline.

Manufacturers that scope correctly:

Spend less
Move faster
Avoid unnecessary complexity

Next Step:
Start with a CMMC gap assessment to accurately define your CUI scope before investing in tools or remediation.