TrustCloud launches native ServiceNow application to deliver enterprise-grade continuous control monitoring. Read more →
Search
Schedule a Demo
Updated on November 24, 2023

Define your CMMC Audit Scope

Estimated reading: 3 minutes 2236 views

Overview

Define your CMMC Audit Scope to set the boundaries of the audit and identify the object in focus.

The object can include the people, data, system, or product in review. The scope definition allows the auditors to focus on an aspect of the organization rather than the whole. This is why it is important to clearly define the scope of review for your given audit.

Determining your CMMC audit scope requires your organization to specify the product, the data, the systems, and the vendors in scope.

Read below for guidance on how to determine each scope item. A table listing each item is provided below to use as a template for this exercise.

Learn more about CMMC compliance automation with TrustOps!

Product(s) in scope

For a Software as a Service (SaaS) provider, the scope is typically the software application(s) offered to clients. Some organizations have multiple products, and it is important to define for your CMMC what product is in focus and what product isn’t.

Data in scope

In order to identify the data in scope, the ideal step is to focus on the type of data and people that flow through the product or service identified. For a SaaS provider, it’s typically all the data held in it (i.e., customer data, etc.) and the people that support it, such as vendors and employees.

Systems in scope

To identify all your systems in scope, take an inventory of all the various systems and internal controls that are critical to delivering your service or product in scope. This could include email and Slack. The key is to focus on the systems and tools that are essential to delivering your service / product. Production systems have a direct impact on your product or service in lieu of non-production systems.

For HR systems, focus on systems that manage employee onboarding and training processes. Everything else, such as time off requests and benefits, is out of scope since they are not critical to delivering a service or product.

For a SaaS provider, it’s typically all the infrastructure that hosts it and the procedures that support it, such as AWS, Github, JIRA, etc.

Vendors in scope

IIn order to identify the vendors in scope, focus on the critical vendors, such as cloud hosting and production-related organizations used to support the product or service in scope.

Scoping guidance template

Scoping guidance
Provide a detailed description of your organization’s products or services.

Focus on the product or service under review
Provide the type of data and people that flow through the product or service under review 
Please provide a list of systems / tools that flow through or support the product or service under review
Please provide the list of critical vendors being used to support the product or service under review

 

Join the conversation

You might also be interested in

1 month ago

Strengthen security with smart data breach response practices

Learn proactive data breach response strategies to protect your business. Boost cybersecurity, reduce risk,...
Read more
1 month ago

Digital transformation in governance: strategies for success in 2026

Digital transformation in governance is driven by the increasing demand for improved government services...
Read more
1 month ago

Access control policies for strong data security in 2026

Learn how ideal access control policies protect sensitive data, enforce user roles, and ensure...
Read more
2 months ago

NIST password guidelines 2026: what you need to know to stay secure

With a proactive and comprehensive approach, you can unlock the future of cybersecurity and...
Read more
2 months ago

How to implement a data classification policy in 2026

Learn how to implement a data classification policy to protect sensitive information, ensure compliance,...
Read more
2 months ago

ISO 27001 toolkit: Essential tools and templates to simplify compliance in 2026

Looking to achieve ISO 27001 compliance faster? Explore this curated ISO 27001 compliance toolkit...
Read more
2 months ago

Transforming healthcare compliance: Top benefits of automation in 2026

Discover how automation enhances healthcare compliance by reducing errors, saving time, and ensuring data...
Read more
2 months ago

Stay ahead with powerful insights on cybersecurity risks in 2026

Explore the top cybersecurity risks of 2025 and learn how to safeguard your digital...
Read more
Trusty

Want to see how to turn security into a profit center?

Ready to save time and money on audits, pass security reviews faster, and manage enterprise-wide risk? Let’s talk! 

Learn More
TrustCommunity Logo

The #1 Community for Security, Privacy, and GRC Professionals.

© 2026 TrustCloud Corporation. All rights reserved. TrustCloud®, TrustOps®, TrustShare®, TrustRegister®, TrustLens® and TrustHQ® are registered trademarks of TrustCloud Corporation.
Facebook Linkedin Youtube Rss

Resources

Platform

TOPICS

ABOUT US

AICPA
Monitored by TrustCloud
💛 Joyfully Crafted to Elevate Security and GRC Leaders into Trust Champions.
OR

TrustCommunity

Instant support with our AI chatbot

Please login with your TrustCloud credentials to continue

Login