CMMC Scope Reduction Strategy: A Control Map for Third-Party Engineering Access

Every defense contractor preparing for CMMC has the same expensive surprise: the third-party engineering firm with VPN access into one file server just doubled the size of their assessment. CMMC, the Cybersecurity Maturity Model Certification that DoD will require on covered solicitations starting November 10, 2026, is scored against the systems that touch Controlled Unclassified Information, or CUI. Every system inside that scope is a control to implement, evidence to produce, and a finding waiting to happen. A CMMC scope reduction strategy is the work you do before the assessor arrives, so the boundary is small, defensible, and matches the architecture you already run.

This piece is a control map for one specific scope problem: third-party engineering firms that need access to your CUI-bearing systems without dragging the rest of your environment into the audit.

Why CMMC Level 2 Scope Reduction Drives Assessment Cost

CMMC Level 2 assessment cost is a function of how many CUI Assets your assessor has to look at. Big boundary, big cost. Small, well-documented boundary, smaller cost. Everything else, the tooling, the policies, the recurring monitoring, scales from that decision.

Phase 2 effective date and the DFARS 252.204-7012 backdrop

The CMMC program rule, 32 CFR Part 170, was published October 15, 2024 and became effective December 16, 2024. Phase 1 began November 10, 2025. Phase 2 begins November 10, 2026, when DoD solicitations may require Level 2 assessments with C3PAO-issued certificates. DFARS 252.204-7012 has carried the CUI safeguarding obligation since 2017; CMMC adds thirdparty assessor verification. DIBCAC self-attested reviews are being replaced by C3РАО assessments accredited by the CyberAB. The change in who scores you is the change that turns scope into a budget line.

The math: how assessment cost scales with enclave size

NIST SP 800-171 r2 has 110 controls, and CMMC Level 2 assessment covers 320 assessment objectives drawn from NIST SP 800-171A r2 (DoD CIO CMMC Assessment Guide Level 2). Every CUI Asset expands the evidence work. A 50-asset enclave produces roughly 16,000 controlasset evidence combinations. A 10-asset enclave produces about 3,200. Continuous monitoring scales with that count, and the three-year recertification cycle compounds the cost. defensible CUI enclave produces dramatically fewer evidence artifacts than a flat-network scope, and assessment cost falls proportionally.

The third-party vendor problem

Here is the version most contractors are wrestling with. Your engineering team works with an outside firm, say an HVAC design house, that needs access to your PDM (Product Data Management) system. The PDM holds drawings the program office has marked as CUI. You set up VPN access the vendor workstation gets an RDP session into the PDM the work gets done. DFARS flow-down clauses make the vendor responsible for safeguarding CUI on their side. But the vendor's workstation has L3/L4 reachability to a CUI Asset, and your assessor will ask why that endpoint is not a CUI Asset itself. The contract does not answer that. The network architecture does. Most contractors reach first for one of three answers: a VPN, a jump host, or a ZTNA broker. None of them sever the protocol. A VPN extends the network out to the vendor; a jump host still hands native protocol traffic to the CUI asset; a ZTNA broker authenticates the user but lets TCP and UDP reachability survive to the endpoint. The Gateway is the option that breaks that path.

"In CMMC Level 2, the boundary your architecture draws is the boundary the assessor scores; everything else is overhead."

How to Reduce CMMC Level 2 Scope for Third-Party Engineering Access

The Gateway: where protocol termination happens

Protocol isolation is an access architecture in which inbound protocols terminate at a gateway before reaching CUI assets, so no TCP or UDP path survives to the endpoint. The Xona Gateway sits between the vendor endpoint and the CUI asset. It accepts inbound protocols (RDP, SSH, VNC), terminates them locally, and emits only event-driven pixel data outbound over HTTPS. No TCP or UDP path from the vendor endpoint to the CUI asset survives the Gateway. A VPN is a long hallway into your building; the Gateway is a window. This is structurally distinct from a VPN, which extends the contractor's network out to the vendor endpoint, and from a jump host, which still allows downstream native protocol traffic to reach the CUI asset. Neither severs the protocol.

"Protocol termination at the Gateway means no L3/L4 reachability from the vendor endpoint to the CUI asset; the session terminates at the Gateway and only event-driven pixel data egresses to the vendor."

FOR OT OPERATORS a vendor connecting through the Gateway works inside a browserrendered session, not a native protocol install on their workstation; session round-trip is the network round-trip plus one render hop. The Gateway is designed to fail closed without taking the CUI system down, so an outage at the access layer does not propagate into the control environment.

The Centralizer: credential injection and granular authorization

The Centralizer is the policy and identity plane behind the Gateway. It integrates with your identity provider (Active Directory, Entra ID, Okta), and it keeps CUI-system credentials out of vendor hands entirely; they are vaulted and injected at session start. The vendor logs in, but never sees the credentials that open the door. Session policy (time-windowed access, action restrictions, recording) is enforced at session establishment. As a NERC CIP operational reference (not a CMMC compliance precedent): AltaGas reported audit preparation time reduced from approximately six months to three weeks after deploying Xona (customer-reported; framework attribution per customer attestation).

"The most effective way to manage the high cost of a CMMC Level 2 assessment is to aggressively reduce the scope of the CUl environment, and protocol isolation is the surgical tool that allows you to do that without re-architecting your entire network."

Before and After: How Protocol Isolation Removes the Vendor Endpoint from CUI Asset Scope

Before: the vendor sits inside the contractor's boundary via VPN, with a direct RDP path to the PDM server holding CUI. After: the vendor sits outside the boundary, the Gateway terminates the protocol at the contractor edge, and only the pixel stream crosses outbound. The question "is this vendor endpoint a CUI Asset?" no longer applies because the path that would have made it one does not exist.

Why ZTNA brokering is not the same thing

Zero Trust Network Access products (Zscaler Private Access, Cloudflare Access, Google BeyondCorp Enterprise) authenticate the user, then broker the native protocol to the endpoint. TCP and UDP reachability survives, just authenticated. Protocol isolation (Xona, with Cyolo PRO the nearest peer) severs the protocol entirely. For a C3PAO, "authenticated proxy" and "no L3/L4 path" are different findings.

Mapping Protocol Isolation to NIST SP 800-171 r2 Controls

This is the control map. Columns name what each NIST SP 800-171 r2 control requires, how protocol isolation supports it, and where evidence lives.

SSP language is the contractor's authorship responsibility, not the vendor's. Work with your RPO to draft language that reflects your network topology and asset categorization decisions. The map identifies which architectural facts your SSP narrative should reference; how those facts are phrased belongs with the assessor-aligned professional you have retained.

The Evidence Layer: Session Recording as Audit Support, Not Substitute

Session recording as AU.L2-3.3.1/3.3.2 evidence

Because the Gateway renders every session as pixel data, full session recording is a byproduct of the isolation design rather than a bolted-on capability. Recordings are identity-bound through the Centralizer's authentication record, so every replay traces back to a named vendor identity, a specific time window, and a specific target asset. That mapping supports AU.L2-3.3.1 (audit events affecting security or accountability) and AU.L2-3.3.2 (audit record content covering who, what, when, where). For a vendor session, the question "who did what to which CUI system at what time" is the question the recording answers directly.

What session recording does NOT do

The recording does not satisfy AU.L2-3.3.5 (audit review, analysis, and reporting), which still requires SIEM-side aggregation and a documented review cadence. Retention period for recordings is an SSP-defined operational obligation; the platform stores, but the policy and the review schedule belong to the contractor. Tamper-evidence on the recording store requires cryptographic seal or write-once storage, documented in the SSP. Chain-of-custody for forensic admissibility requires documented procedure beyond the recording itself. "Audit-ready by default" framing should be refused on the way in the door; the assessor scores the SSP, the policy, and the demonstration of review, not just the artifact.

What Stays in Scope After the Gateway

A scope reduction strategy that hides what stays in scope is one that fails C3PAO scrutiny. Be honest about what does not exit scope.

What stays in scopе

The Gateway, the Centralizer, and the identity provider (Active Directory, Entra ID, Okta) are all in scope as Security Protection Assets under the CMMC Level 2 Scoping Guide. Any CUI that transits the system is in scope while in transit. The Gateway's underlying infrastructure (host OS, hypervisor, network hardware) is in scope as Security Protection Asset components. The contractor's internal network where CUI systems reside is in scope as CUI Assets. The honest scope-reduction story is not zero scope; it is a smaller, defensible, more uniform scope you can actually evidence. If your deployment puts Xona in an External Service Provider role (Xona-hosted Gateway, managed-service component), you will need a Shared Responsibility Matrix in the SSP that names which controls Xona owns and which remain with you. The product framing here assumes a contractor-operated Gateway and Centralizer; if your deployment differs, work with your RPO to document the shared-responsibility lines.

Scope reduction claims that don't survive C3PAO scrutiny

• "The Gateway alone reduces scope." Rejected without an SSP scoping diagram and matching asset categorization. The gateway is the tool. The SSP is the evidence.

• "Zero Trust posture equals CMMC compliance." Rejected. Zero Trust is an architecture posture. NIST SP 800-171 r2 is the rule set the C3PAO scores against.

• "IEC 62443 or NERC CIP precedent justifies the architecture." Rejected. Cross-framework precedent is rhetorically useful but does not bind a DIBCAC-aligned C3PAO. Where IT/OT or enhanced CUI references are needed, use NIST SP 800-82 r3 or NIST SP 800-172.

• "The environment is air-gapped." Rejected when an inbound vendor path exists. No internet egress is not the same thing as no inbound reachability.

What to Ask Your RPO Before Your C3PAO Assessment: A Scoping Checklist

Your RPO has seen what your C3PAO will accept. Walk into both conversations with specific questions and a draft scoping diagram, not a vendor pitch.

Three questions to take to your RPO

Three for your next RPO call:

1. Will the assessor accept the Xona Gateway as a Security Protection Asset under the CMMС Level 2 Scoping Guide for our specific network topology?

2. What SSP language do you recommend for the boundary, and how should the scoping diagram represent the Gateway?

3. What evidence will the assessor expect for categorizing vendor endpoints as Out-of-Scope Assets rather than CUI Assets?

A scoping conversation starter

Before you go to your RPO, walk the architecture with your compliance lead and answer four questions on paper. What are our CUI Assets, by name and host? What are our Security Protection Assets? Where does the boundary sit, and which network segments are on which side? Where will the audit logs and recordings live, and who has access? Four answers, one page, signed by both of you. That page is the spine of the scoping diagram conversation.

What to ask your C3PAO during pre-assessment

Three for the pre-assessment call:

1. How do you want the scoping diagram presented (level of detail, format, color conventions)?

2. What artifacts will you want for boundary protection (SC.L2-3.13.1, AC.L2-3.1.3) and routing through managed access points (AC.L2-3.1.14)?

3. What is your view on ESP arrangements for the gateway, and how does that affect assessment scope and timeline?

You will not get final answers, but you will get the assessor's posture, which is what your SSP narrative has to satisfy. The same contractor whose VPN doubled their assessment now hands their RPO a one-page scoping diagram in which the vendor endpoint sits outside the boundary, the Gateway is the managed access point, and the CUI Asset count is the number that matters.