Keep Mobile Out of CMMC Scope

Q: Are personal mobile devices in scope for CMMC Level 2?

Yes, if CUI resides on them. According to CMMC Scoping Guidelines, any personal device that stores, processes, or transmits CUI becomes a Contractor Risk Managed Asset within your assessment boundary. The solution is an architecture that prevents CUI from reaching the device entirely.

Q: Does FedRAMP High authorization satisfy CMMC cloud requirements?

Yes. FedRAMP High authorization meets the cloud security requirements for CMMC Level 2 compliance as specified in 32 CFR Part 170.

CMMC 2.0 DEADLINE — NOVEMBER 10, 2026

days

to get mobile out of scope.

CMMC Phase 2 requires third-party certification for every contractor handling CUI. Most will discover, mid-audit, that their mobile devices doubled the scope they were trying to reduce. They don't have to.

The mobile scope problem

The endpoint is where CMMC scope quietly doubles.

Most security teams understand their data center. Mobile is where the boundary expands — because every personal phone that touches CUI pulls that device into the assessment.

BYOD that touches CUI is in scope

A personal device running MDM or MAM that accesses CUI is a Contractor Risk Managed Asset — in your assessment boundary, regardless of how well it is managed.

Every lost device expands your incident response burden

When CUI can reach the endpoint, a lost or stolen device creates a potential spillage event — requiring investigation, documentation, and response regardless of encryption status. With Hypori, no CUI is on the device, so there is nothing to investigate.

MDM adds controls, not scope reduction

MDM and MAM try to manage risk after CUI arrives on the device. That is a policy problem on top of an architectural one — more controls, bigger audit surface.

MAM/MDM BYOD locks you out of international travel

You are not authorized to travel outside the US with CUI on your device. With MAM or MDM, your personal BYOD device carries CUI — which means you cannot take it overseas. With Hypori, no CUI is on the device, so employees can travel internationally without restriction.

The root cause is not any one of these. It is that CUI reaches the device. Change the architecture — keep CUI inside the controlled environment — and the problem collapses.

CASE STUDY

A defense contractor took mobile out of CMMC scope.

Reduced mobile audit scope and eliminated BYOD friction — with no MDM enrollment and no change to personal device privacy.

Read the case study ->

Certifications and authorizations

HOW IT WORKS

How VMI Keeps Mobile Endpoints Out of CMMC Scope

Stream pixels. Not data.

Under the CMMC Scoping Guidelines, endpoints that never store, process, or transmit CUI are out of scope for CMMC assessment. VDI is explicitly recognised as an out-of-scope category. The DoW CIO Office has confirmed that Virtual Mobile Infrastructure (VMI) is treated as equivalent to VDI for scoping purposes — meaning personal devices running the Hypori client are out of scope for CMMC Level 2 assessment.

CUI stays inside the customer's controlled environment

The mobile workspace runs inside the customer's enterprise environment hosted in FedRAMP High. The physical phone is a display. No organizational data crosses to the endpoint.

No CUI stored on the device

No organizational data at rest on the endpoint. No organizational data in transit to it. Because CUI never reaches the device, there is no spillage event and no incident reporting trigger.

Endpoint out of CMMC scope

Because CUI never reaches the device, the device is never in the assessment boundary. Fewer controls, smaller audit surface, lower reporting burden — and BYOD with zero surveillance of personal activity.

Case Study

How Concurrent Technologies Corporation Secured CMMC-Compliant BYOD with Hypori

90% of licenses adopted within 45 days. No corporate devices. No MDM. Personal devices kept fully out of CMMC scope.

Read case study →

Case Study

M&A Voided Their CMMC Compliance. Hypori Restored It in Weeks.

A defense contractor inherited thousands of personnel post-acquisition and needed a compliant BYOD model before their audit — without MDM, MAM, or new devices.

Read case study →

White Paper

Enabling CMMC Compliance: Out of Scope, Out of Mind

Why edge devices running the Hypori App are out of scope for CMMC assessments — and what that means for your DIB program.

Read now →

Webinar

Matt Stern at CMMC Accelerate 2026

Hypori CSO Matt Stern on how VMI architecture changes the mobile scoping conversation for DIB contractors preparing for Level 2 certification.

Watch now →

Blog

CMMC Ultimate Guide: Cybersecurity Maturity Model Certification Explained

Everything DIB contractors need to know about CMMC — requirements, timelines, mobile compliance, and how to start your certification journey.

Read now →

Blog

Why CMMC Compliance Starts With Mobile CUI Security

Mobile is where CMMC scope quietly expands. Here's why CUI security on mobile devices is the first problem DIB contractors need to solve.

Read now →

CMMC MOBILE SCOPE - ANSWERED

Common Questions

Are personal mobile devices in scope for CMMC Level 2?

Yes, if a personal device stores, processes, or transmits CUI it is a CUI Asset under the CMMC Scoping Guidelines and must be assessed against all 110 NIST SP 800-171 controls. The way to avoid this is an architecture that ensures CUI never reaches the physical device.

Does MDM keep mobile devices out of CMMC scope?

No. MDM manages the device but does not prevent CUI from residing on it. A personal device running MDM or MAM that accesses CUI is still a Contractor Risk Managed Asset within your CMMC assessment boundary. The correct approach is an architecture that keeps CUI off the device entirely.

What is VMI and how does it affect CMMC scoping?

Virtual Mobile Infrastructure (VMI) runs the mobile workspace — its applications, storage, and CUI — inside a controlled cloud environment. The physical phone streams pixels and relays input only. No organizational data resides on the device. The DoW CIO Office has confirmed VMI is equivalent to VDI for CMMC scoping purposes, placing VMI-connected endpoints outside the assessment boundary.

Can BYOD be used in a CMMC Level 2 environment?

Yes, with the right architecture. BYOD itself is not prohibited by CMMC. The requirement is that CUI must be controlled. If the BYOD device never stores, processes, or transmits CUI — because CUI stays inside a VMI controlled environment — the device is out of scope and does not need to be assessed or managed.

What happens to CMMC scope if a BYOD device is lost or stolen?

With a VMI architecture, a lost or stolen device has no organizational data on it. No CUI was ever stored on the endpoint, so there is no spillage event and no incident reporting trigger — unlike MDM or MAM approaches where CUI resides on the device.

Does FedRAMP High authorization satisfy CMMC cloud requirements?

FedRAMP High is required for cloud services that store, process, or transmit CUI under CMMC Level 2 (per 32 CFR Part 170). It satisfies the cloud service provider requirement within CMMC. Compliance is a shared responsibility — the architecture of how CUI is handled also determines whether endpoints are in or out of scope.

NEXT STEP

Bidding on contracts that require CMMC Level 2?

If your workforce stores, processes, or transmits CUI — or you're pursuing contracts that require it — you need third-party certification by November 10, 2026. Most contractors don't realize mobile devices are their biggest scope problem until it's too late.