Editor’s note: This is part one of a three-part blog series highlighting several aspects of preparing for CMMC program success.
You’ve been asked to get your organization CMMC-ready. There is one choice to make before you can begin, and that choice shapes everything that follows: your supplier relationships, architecture, governance model and ultimately whether CMMC becomes a strategic advantage or a drag on the business.
The Compliance Conversation Is Missing the Point
For years, the defense industrial base watched CMMC evolve through drafts, comment periods and pauses. That waiting period is over. The DFARS final rule took effect in November 2025, Phase 1 enforcement is live and Phase 2 brings third-party C3PAO assessments for Level 2 starting November 2026. CMMC is now a durable condition of doing business with the US Department of War (DoW).
Yet most of the conversation still centers on assessment mechanics: SPRS scores, SSP documentation, Plans of Action and Milestones (POA&Ms). That work matters, but it skips the most consequential question defense contractors and subcontractors can ask: What work do we want, and what are we willing to invest to be eligible for it?
Without answering that first, organizations make a costly mistake. They try to make everything compliant rather than intentionally deciding what should be in scope. The result is sprawl: expanding boundaries, with ballooning costs, and an unsustainable compliance surface.
The Decision That Shapes Everything Else
Here’s what I see consistently: organizations jump straight into implementation without first segmenting their work. They treat all revenue as equally worth protecting at the same compliance level, when the reality is that different contracts carry fundamentally different obligations.
Defense work falls into distinct tiers. Some contracts involve only Federal Contract Information (FCI), which requires Level 1 self-assessment against 15 security requirements from FAR 52.204-21. Others involve Controlled Unclassified Information (CUI), which triggers Level 2: 110 security requirements drawn from NIST SP 800-171, with 320 assessment objectives that an assessor will evaluate. That is not a trivial undertaking and organizations that don’t scope it with intention will feel every one of those 320 objectives.
The strategic question is which of these tiers do we want to compete in, and what are we choosing not to pursue?
A Three-Step Exercise for Getting Clear About Scope
If you’re leading CMMC readiness for your organization, here’s a practical exercise to bring to your leadership team. It takes one focused session with the right people in the room: business development, contracts, IT, finance and security (at the very least).
Step 1: Map your contracts. Build a simple inventory of current and target contracts. For each one, identify whether it involves FCI, CUI, or neither. If your contracts team can’t answer that question for a given contract, that gap is worth flagging before you go any further.
Step 2: Identify your CUI touchpoints. For every contract flagged as CUI, trace where that information lives and moves. Which systems process it? Which teams handle it? Which suppliers touch it? This is where scope becomes real. Many organizations discover that CUI exposure is wider than they assumed, or that it’s concentrated in a small number of workflows that can be isolated.
Step 3: Make the intentional call. This is the hard part and where business judgment comes in. Based on what you’ve mapped, decide which lines of business will pursue CUI work and which will not. Decide which suppliers will be brought into your CMMC boundary and which won’t. Use those decisions to drive leadership alignment so the organization moves forward with a shared understanding of what’s in scope and why.
That third step is where the business design happens. Choosing to pursue certain defense work is as strategic as choosing not to. An organization that intentionally narrows its CMMC scope to the revenue streams that justify the investment will build a sustainable compliance posture. An organization that tries to make everything compliant will exhaust its budget and its people.
Why This Comes First
Everything else in your CMMC journey depends on this foundation. Your architecture – whether that's whole-enterprise compliance, a segmented enclave, or a carved-out entity – only makes sense once you know what you’re protecting and why. Your governance model and your documentation strategy flow from the scope decisions you make here.
Get this right, and CMMC becomes a strategic filter that concentrates your investment where it earns a return. Skip it, and you'll spend the next two years fighting scope creep, budget overruns and the growing sense that this program is working against you rather than for you.
CMMC L2 is demanding: 320 assessment objectives, specialized training and significant cost. None of that is going away. The leaders who succeed will be the ones who designed their business to carry the weight where it matters most and set the rest of it down.
Next in this series: How to lock in your architecture, govern scope changes and build compliance into the work from day one.
