All Resources
Free Primer · 6 Min Read · For Prime Contractors

What Is "Scope"?
An FCI Primer for Primes.

Scope is the foundation of every CMMC determination — and the part of compliance most often gotten wrong on Pacific defense contracts. Understand what scope actually means, why getting it wrong is expensive in two different directions, and what every prime should think through before drawing flow-down lines on their next award.

Section 1

Scope, Defined.

In CMMC, "scope" is the technical answer to a deceptively simple question: where does the regulated information live, and who touches it?

Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) don't sit still. They flow into your organization through email, portals, and printed documents. They get stored on shared drives, in project management tools, on laptops and phones. They get processed by employees in offices, in the field, and at home. They get transmitted to subcontractors, design partners, suppliers, and back to the government.

Scope is everything — every person, every process, and every piece of technology — that stores, processes, or transmits FCI or CUI on a defense contract.

That definition is short, but it's also the entire game. Every CMMC requirement that gets levied on a contractor applies only inside scope. A laptop that's in scope must meet 15 specific practices at Level 1 (or 110 practices at Level 2). The same laptop, if not in scope, has no CMMC requirements at all. The line between "in" and "out" is the difference between a defensible compliance program and either crushing overspend or a False Claims Act finding.

Section 2

The Three Pillars: People, Processes, Technology.

Every scope determination breaks into three categories. If you can name what's in each, you've drawn the boundary correctly.

👥
People
Every individual who has access to FCI or CUI in the course of contract performance. Not just employees — anyone whose role brings them into contact with regulated information.
Project managers, estimators, field crews, IT admins, outside accountants who see invoices, subs who receive drawings, third-party reviewers.
⚙️
Processes
Every workflow that touches regulated information — how it's received, reviewed, stored, shared, and ultimately destroyed when the contract closes out.
Bid response, proposal development, submittals to the prime, document control, RFI handling, change order processing, project closeout.
💻
Technology
Every system or device that stores, processes, or transmits FCI or CUI — including the network paths between them, both on premises and in the cloud.
Email, file shares, cloud storage, project portals, laptops, phones, printers, the office network, backup systems, identity providers.

The verbs that matter — the ones that pull a person, process, or piece of technology into scope — are these three:

Store
FCI lives there, even briefly
Process
FCI is read, edited, or acted on
Transmit
FCI passes through

If any of those three verbs apply — even occasionally, even in transit — the asset is in scope. This is the part that catches primes off guard. A laptop that "only views" FCI from a portal is still processing it. A printer that "only prints" drawings is storing them in memory. An email server that "only forwards" award documents is transmitting them. There is no light-touch category.

Section 3

Why Scope Matters — In Both Directions.

Scope errors are expensive whether you draw the line too wide or too narrow. Most primes pick one direction by default and pay for it without realizing.

Over-Scoping
Treating every system and every sub as in scope when they aren't. Wastes money, slows down work, breeds resentment, and pushes good subs out of your supply chain. A small electrical sub forced through Level 2 controls when their work doesn't touch CUI will quote 3x — or walk away.
Under-Scoping
Drawing the line too tight and missing places FCI actually lives. Creates False Claims Act exposure when a DIBCAC review or inspector general audit finds regulated data in unprotected systems. Penalties run into the millions, and "we didn't think it was in scope" is not a defense.

The right answer is rarely "scope everything in" or "scope everything out." It's a precise, defensible map of where regulated information actually moves — informed by your specific contract, your specific subs, and your specific systems.

Section 4

What Primes Get Wrong Most Often.

In our experience working with Pacific defense primes — Hawaii, Guam, and CNMI — the same scope mistakes show up again and again:

📧 Assuming email is "just communication"
Email accounts that send or receive contract drawings, RFIs, award documents, or pricing data are fully in scope — including every attachment ever stored there. The mailbox itself becomes a scoped system, not just the messages flagged as sensitive.
🤝 Treating subs as someone else's problem
When you flow FCI to a subcontractor, the sub's environment becomes part of your compliance picture. Their devices, their email, their storage all need to meet the practices for the level of data they receive. If they don't, your prime contract is at risk — not just theirs.
📱 Forgetting BYOD and personal devices
A project manager forwarding contract emails to their personal Gmail to read on the road. A field super taking photos of submittals on their personal phone. A bookkeeper accessing project data from a home laptop. All in scope. All required to meet the same practices as company-issued equipment, or they need to be cut off.
☁️ Misreading the cloud
"It's in the cloud" is not a compliance answer. Cloud platforms have their own scope implications — some are FedRAMP-authorized for FCI, some aren't. A consumer Dropbox account holding contract drawings is not the same as a properly configured Microsoft 365 GCC environment. Most primes don't know which one they're using.
🗓️ Treating scope as one-and-done
Scope changes when contracts change. New award types, new subs, new tools, new field offices — every one of those potentially redraws the boundary. Most primes scope once at the start of a contract and never revisit it. By month 18, the actual scope and the documented scope have diverged significantly.
Section 5

So What Do You Actually Do?

The path to a defensible scope determination has four parts, in order:

One. Identify what regulated information your contract actually contains. Read the contract clauses. FAR 52.204-21 means FCI is in play. DFARS 252.204-7012 with NIST SP 800-171 controls means CUI. The clauses tell you what level the contract is at.

Two. Trace where that information goes. Every entry point, every storage location, every person who reads it, every sub who receives a downstream copy, every system that touches it in transit. This is the hardest step and the one most often done by guess.

Three. Document your scope boundary. A scope map is a defensible artifact: it shows what's in, what's out, and the reasoning behind every line. If a DIBCAC reviewer arrives, this document is what you hand them first.

Four. Operationalize it. Train people inside scope. Configure systems inside scope. Flow appropriate clauses to subs inside scope. Re-verify every time something changes.

⚠️ The Single Biggest Risk
Documenting a tight scope on paper — and then operating loosely in practice. If your scope map says CUI lives only on three controlled laptops, but your project manager regularly forwards CUI to their phone, the mismatch is the False Claims Act exposure. The scope you document and the scope you operate must be the same scope. Bridging that gap is where most compliance programs either succeed or fail.

Each part has details that aren't worth covering in a free primer — partly because the details depend on your specific contract type, your specific subs, and your specific systems, and partly because doing this correctly is what separates a defensible compliance program from a hopeful one.

Ready to actually map your scope?

PCC builds defensible scope maps for Pacific primes — so your boundary holds up under audit.

We trace your contract's information flow end to end, identify every system and sub in scope, document the boundary with the rationale behind every line, and give you a maintainable artifact you can defend in front of any reviewer. Built for Pacific defense primes — Hawaii, Guam, CNMI — by people who actually live here and understand how the work gets done. No mainland enterprise consulting bills.

Learn About Our Services Take the free risk check first