The Scope Trap: Why Securing Everything Is the Wrong Strategy for CMMC

CMMC SERIES · PART 1 OF 3

Defense contractors are discovering that the biggest barrier to CMMC certification isn’t a missing security tool. It’s having a network that’s simply too large and too interconnected to audit cleanly.

For organizations within the Defense Industrial Base (DIB), the shift to mandatory third-party CMMC assessments has exposed a problem that most security programs weren’t designed to solve. It isn’t a technology gap, exactly, and it isn’t a lack of investment; most defense contractors we work with have spent years and real budget building layered security environments. The problem is architectural. These environments, through accumulated tools and connectivity decisions made over time, have become too large, too interconnected, and too difficult to audit cleanly. When a C3PAO assessor can’t trace a clear line around where CUI lives and who touches it, the entire network comes into question. That is a different kind of problem than a missing control, and it requires a different kind of solution.

Under CMMC Level 2, which is built directly on the 110 requirements of NIST SP 800-171, the assessment scope is determined by where your Controlled Unclassified Information lives and how it moves. Any asset that processes, stores, or transmits CUI is considered in-scope, and so is any asset that provides security protection for those CUI assets: firewalls, identity servers, and logging infrastructure. In a traditional enterprise network, where CUI flows freely across shared systems, and employees access it through corporate VPNs from laptops that also connect to personal email and the broader internet, that scope can expand to encompass virtually the entire organization. One document on an employee’s laptop, accessed through a shared file system over VPN, can theoretically pull the company’s entire network into a Level 2 assessment.

This is what we call the Scope Trap, and it’s the single greatest barrier to certification for most mid-sized defense contractors. Applying military-grade security controls (mandatory MFA, FIPS-validated encryption, continuous monitoring and posture evaluation) to every user, device, enabled application, and network segment in the company isn’t just expensive. For most organizations, it’s genuinely not feasible without a fundamental rearchitecting of how the business operates. The assessment timeline grows, the audit complexity compounds, and the probability of a finding increases with every additional system that gets pulled into scope.

What makes the Scope Trap particularly frustrating is that the tools most organizations have deployed to manage the problem often make it worse. VPNs are the clearest example: designed to extend network access to remote workers, they also extend the logical perimeter of the network to wherever those workers happen to be sitting, on whatever devices they happen to be using. When an employee connects to a CUI system through a corporate VPN from an unmanaged home device, the segmentation required to contain that information effectively doesn’t exist. The endpoint is trusted because the credentials were valid, not because the device or the environment has been verified as compliant.

Stolen credentials now fuel 38% of breaches within the defense supply chain, and unmanaged endpoints continue to serve as the most common entry point for ransomware and data exfiltration. The era of self-attestation closed neither gap, which is precisely why the DoD moved to mandatory third-party assessment under CMMC.

Legacy Virtual Desktop Infrastructure and Desktop-as-a-Service platforms were built to solve a different problem: delivering desktop experiences at scale. While they do that reasonably well, they were never designed with compliance auditability as a core requirement. Session recording, immutable logging, audit evidence generation: these capabilities typically have to be bolted on separately, through additional tools that don’t share a common data model with the rest of the environment. For a CMMC assessor, that kind of complexity is a red flag. It suggests an environment where security controls don’t communicate, where visibility gaps exist, and where proving the integrity of the audit trail requires significant manual effort on the part of the organization being assessed.

Privileged Access Management and Identity and Access Management tools face a related limitation. They’re excellent at controlling who gets access to what, but they don’t govern what happens after access is granted. Once credentials or session tokens are compromised (and in the current threat environment, that is a when, not an if), an attacker operating under a valid identity can still move laterally, exfiltrate data through trusted connections, and exploit relationships between systems that PAM and IAM were never designed to monitor. The front door is locked, but the interior of the house remains largely ungoverned.

The deeper issue isn’t any one of these tools individually. It’s that they were each designed to solve specific connectivity and access problems, and compliance was never fully considered or treated as the primary design constraint. When you assemble them together, you get an environment that provides broad coverage but limited control, and that distinction matters enormously under the updated regulatory framework. CMMC assessors aren’t evaluating whether you have security tools. They’re evaluating whether those tools, together, establish a coherent, defensible, and auditable boundary around your Controlled Unclassified Information. A fragmented stack that requires extensive manual effort to produce evidence isn’t a compliance posture. It’s a liability.

What the DoD and the C3PAO assessment frameworks are actually looking for is demonstrable, immutable evidence that access is governed, sessions are recorded, anomalies are detectable, and every byte of CUI is attributable. That requires a different kind of architecture than most DIB organizations have built, one where the compliance boundary is defined and enforced by design, not assembled from disparate tools after the fact. The accompanying DFARS 252.204-7012 clause reinforces this: cloud systems must meet FedRAMP Moderate equivalence, and breach reporting is required within 72 hours. There’s no room for ambiguity about where CUI lives or how it’s governed.

The organizations that struggle most with CMMC assessments typically don’t fail because they lack intent or investment. They fail because their environment is too large, too interconnected, and too difficult to audit clearly. When an assessor can’t trace a clean line around where CUI lives and who touches it, the entire environment comes into question.

The solution isn’t more tools layered on top of an already complex stack. It’s a fundamentally different strategy, one that starts by asking a better question than “how do we secure everything?” The right question is: where exactly does our CUI live, and how do we create a boundary around it that a C3PAO assessor can verify without ambiguity? That is the question Self-Custody Data Enclaves were designed to answer.

Tehama Technologies helps defense contractors and DIB organizations achieve CMMC Level 2 readiness through Self-Custody Data Enclaves. To learn more, visit tehama.io.

Up next: In Part 2, we’ll explain how Self-Custody Data Enclaves answer that question, and why the architecture that makes it possible is simpler than most organizations expect. Publishing shortly. Stay tuned.