The CMMC assessment scope is not limited to the organizational unit directly handling Controlled Unclassified Information (CUI). It must also include any assets or services that provide security protection for the CUI environment. In this scenario, the Manufacturing Division processes, stores, or transmits CUI, making it the primary focus. However, because the centralized IT department performs administrative tasks for this division, its systems and personnel are considered "Security Protection Assets" (SPAs). According to official CMMC scoping guidance, both CUI assets and SPAs are within the assessment boundary. Therefore, both the Manufacturing Division and the supporting centralized IT department must be assessed.

A. The Manufacturing Division: This is incorrect because it omits the centralized IT department, whose administrative functions are essential for securing the CUI environment and are therefore considered in-scope as Security Protection Assets.

B. The centralized IT department: This is incorrect because the IT department only provides supporting functions. The primary CUI assets, which are the main subject of the assessment, reside within the Manufacturing Division.

D. The entire aerospace company: This is incorrect because CMMC allows for the assessment scope to be tailored to a specific enclave or segment. Assessing the entire company is unnecessary if other divisions do not handle CUI for the contract.

1. U.S. Department of Defense (DoD), Office of the Under Secretary of Defense for Acquisition & Sustainment. (December 2021). CMMC Scoping Guide: CMMC Level 2. Version 2.0.

Page 4, Section 2.2, "Asset Categories": This section explicitly states, "The CMMC Assessment Scope includes CUI assets and Security Protection Assets."

Page 5, "Security Protection Assets (SPAs)": This page defines SPAs as "Assets that provide security functions or services to the CMMC Assessment Scope... Examples of SPAs can include... systems that provide security services (e.g., authentication, authorization, malware protection, security event monitoring/logging)." The centralized IT department's administrative tasks fall under this definition.

2. U.S. Department of Defense (DoD), Office of the Under Secretary of Defense for Acquisition & Sustainment. (November 2021). CMMC Model Overview. Version 2.0.

Page 5, "Scoping": This document notes that scoping is a critical activity and directs organizations to the official scoping guides to determine the "people, technology, and facilities" that are part of the assessment, reinforcing that the boundary extends beyond just the direct CUI environment.