If your company needs to get CMMC Level 1 certified, one of the first things you’ll run into is the Self-Assessment Scope document. It looks formal and complicated, but at its core it answers a simple question:
What parts of your company do you need to check for CMMC Level 1?
Let’s make sense of it.
Step 1: Know What Counts as FCI
The document revolves around something called FCI — Federal Contract Information.
This is any information you get from the government as part of a contract.
It’s not secret or classified, but it’s not meant for the public either.
Example: a contract statement of work, project schedules, or invoices.
If a system, device, or person uses, saves, or sends FCI, they’re in scope.
Step 2: Figure Out What’s In Scope
“In scope” means it has to be checked against the CMMC Level 1 requirements.
Computers that store contract files
Email accounts used to send FCI
File servers or cloud storage with government documents
Employees who handle government contract information
Step 3: Figure Out What’s Out of Scope
If something never touches FCI,count it out.
Your marketing laptop with only design files
A printer that’s only used for internal HR paperwork
Machines on the shop floor that don’t store or transmit contract information
Step 4: Watch for “Special Assets”
Some things are automatically treated as out of scope for Level 1, but you need to note them down:
Smart building devices like HVAC or security cameras
Equipment the government owns or leases to you
Factory machines like PLCs or CNC devices
Test equipment like oscilloscopes or analyzers
Step 5: Think Beyond Technology
Scope isn’t just about computers. The document tells you to also check:
People: Who handles government info?
Technology: What devices or apps touch it?
Facilities: Where is it stored (office, data center, plant)?
Service Providers: Who else holds your data (cloud providers, managed IT)?
Step 6: Use Your Scope to Prepare
Once you know what’s in and out, you can connect it to the CMMC practices. For example:
Listing people who use FCI helps you meet the requirement to identify users
Listing cloud providers helps you meet the requirement to control external connections
Key Tips
Start small: find where FCI lives first
Write it down: don’t keep scope in your head
Don’t overdo it: only include what touches FCI
Don’t miss things: if FCI goes through it, it’s in scope
Bottom line: This document is just a guide to help you draw a box around the parts of your business that CMMC Level 1 cares about. Once you know the boundaries, you can focus your time on proving those parts are secure.
