What is CMMC? CMMC Update Archives CMMC Links
Consulting Employee Training Security Awareness Training Public Speaking Expert Witness
White Papers Newsletters CMMC Update Articles Videos Interviews
CMMC Update by Glenda R. Snodgrass for The Net Effect
[ View this email in your web browser ] [ Visit our archives ] [ Sign Up for this Newsletter ]

July 1, 2025

Scope is Everything

Proper scoping of your CMMC L2 assessment environment is the most critical aspect of your preparation, and I find it is the least understood. A few days ago, I received an email from someone in an OSC that failed their assessment the week before. Salient point:

Our biggest issue was that we thought a lot of things were out of scope but they really weren’t.

Over the past few months, I've had numerous conversations with CCAs, asking for their experience with assessments. Over and over again, the two biggest problems are wrong scope and inadequate documentation. Two examples:

  • One assessment was stopped on the second day because someone mentioned that BYOD devices are permitted to access CUI emails, but this hadn't been discussed prior to that. BYOD weren't listed in the asset inventory, not in the network diagram, not shown in the data flow diagram, not mentioned anywhere in the SSP (and the devices weren't being managed in any way).

  • One assessment was stopped just hours after it began, when it was revealed that the OSC had an MSP managing their CUI environment, but this was not documented and had not been mentioned at any time.

Scoping for CMMC L2 is complex. You need to read and understand the CMMC L2 Scoping Guide.

At the NCMS National Training Seminar in Orlando last month, I gave three talks on CMMC, twice each. The second time I gave the Scoping talk, I noticed some familiar faces chatting in the front rows before the session. I pointed and said "Didn't you listen to this talk yesterday?" They said yes, and one man said "This was the most important talk I have heard this entire week, and I need to hear it again."

If you weren't at the NCMS seminar and would like to hear these talks, I will be running them as virtual workshops:

August 12

Scoping Your CMMC L2 Environment

August 26

Are You Really Ready for a CMMC Assessment?

September 9

Top 10 Ways to Fail a CMMC L2 Assessment

I'll also be doing my CMMC 101 and CMMC 102 workshops again.

Early Bird Pricing for the entire series ends on Friday, and you can use code "CMMCUpdate" to get an additional 20% off.

Hope to "see" you there!



Glenda R. Snodgrass Sincerely,

Glenda R. Snodgrass, CCP/CCA/Lead CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107

Speak with an Expert

Contact

The Net Effect, L.L.C.
Post Office Box 885
Mobile, Alabama 36601-0885 (US)
phone: (251) 433-0196
email: sales at theneteffect dot com
Secure Payment Center






Site Map

Home
CMMC
PCI
GLBA
Consulting
Employee Training
Public Speaking
Expert Witness
Workshops
About

Resources


CMMC
Newsletter
Whitepapers
Articles
Videos
Interviews



The Net Effect, LLC

Copyright 1996-2025 The Net Effect, L.L.C. All rights reserved. Read our privacy policy