The scope of a CMMC assessment for an organization within the Defense Industrial Base (DIB) applies to nonfederal systems. According to NIST SP 800-171, which forms the basis for CMMC Level 2, the requirements are applicable to all components of nonfederal systems that either directly handle Controlled Unclassified Information (CUI) or provide security protection for those components. The CMMC Scoping Guide further clarifies this by defining asset categories, including "CUI Assets" (those that process, store, or transmit CUI) and "Security Protection Assets" (e.g., firewalls, SIEMs), both of which are within the assessment scope. Therefore, the scope must encompass both types of system components.

A. This is incorrect because CMMC applies to nonfederal contractor systems, not federal systems. It also omits security protection components.

B. This is incorrect because it is incomplete. The scope also includes the systems and components that provide security protection for the CUI assets.

C. This is incorrect because CMMC is a framework designed for the nonfederal organizations that make up the Defense Industrial Base (DIB).

1. National Institute of Standards and Technology (NIST). (2020). Special Publication (SP) 800-171 Rev. 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Section 2.2

"APPLICABILITY

" Page 5. Available at: https://doi.org/10.6028/NIST.SP.800-171r2

Quote: "The requirements apply to all components of nonfederal systems that process

store

or transmit CUI

or that provide security protection for such components."

2. Office of the Under Secretary of Defense for Acquisition & Sustainment. (2021). CMMC Scoping Guide

Level 2

Version 2.0. Section 2.1

"Asset Categories

" Page 2.

Content: This section defines "CUI Assets" and "Security Protection Assets

" clarifying that both are part of the CMMC Assessment Scope. Security Protection Assets are defined as those that "provide security functions or services to the CMMC Assessment Scope."