Out-of-Scope Assets

Out-of-Scope assets are not part of the CMMC assessment. They have no CMMC documentation requirements and no assessment requirements. But that doesn’t mean the assessor ignores them entirely — they may ask you to justify why specific assets are excluded.

Qualifying Conditions

To be Out-of-Scope, an asset must meet all of these conditions:

• Cannot process, store, or transmit CUI
• Does not provide security protections for CUI Assets (not an SPA)
• Is physically or logically separated from CUI Assets
• Does not fall into any other in-scope category

If it fails any one of these tests, it’s in scope. The most common failure: an asset that’s on the same network as CUI systems without logical separation. Even if it never touches CUI, network adjacency without separation means it’s likely a CRMA, not Out-of-Scope.

---

The VDI Exception

This is a powerful scope-reduction technique. An endpoint running a VDI client (thin client, zero client, or a standard workstation running only a VDI session) is considered Out-of-Scope when the following conditions are met:

• The VDI client is configured to prevent any processing, storage, or transmission of CUI beyond keyboard, video, and mouse (KVM) signals
• CUI never touches the local endpoint — it stays within the VDI infrastructure
• The VDI infrastructure itself is a CUI Asset (and fully assessed)

Instead of securing every laptop in the company, you secure the VDI infrastructure and the thin clients become out-of-scope endpoints. For organizations with many end users and few CUI specialists, VDI can dramatically reduce the assessment footprint.

Scope Reduction Strategy

VDI is one of the most effective scope-reduction tools available. A 200-person company might have 200 CUI-capable endpoints. With VDI, they have a VDI infrastructure (CUI Asset) and 200 thin clients (Out-of-Scope). The assessment scope drops from 200 endpoints to the VDI servers and management plane.

---

Be Ready to Justify

You should be prepared to explain why any Out-of-Scope asset can’t handle CUI. The assessor won’t formally assess it, but they may ask. If you claim your marketing team’s laptops are Out-of-Scope but they’re on the same network as CUI systems with no separation, that claim won’t hold up.

The best justification is demonstrable separation — a network diagram showing the Out-of-Scope assets on a different VLAN or network segment with firewall rules preventing CUI traffic from reaching them.