DEFENSE INDUSTRIAL BASE
The CMMC Mobile Scope Checklist
Find your gaps before your assessor does.
CMMC Level 2 requires demonstrating compliance with all 110 NIST SP 800-171 controls — for most DIB contractors, through a third-party C3PAO assessment. Most security teams understand their data center. The mobile workforce is where scope quietly expands, because every personal device that touches CUI pulls it into the assessment boundary.

Use this checklist to find the gaps before your assessor does.
01 — Map your mobile scope
Every device that can reach CUI or FCI is inventoried, including personal BYOD phones and tablets.
Each mobile device is classified under the DoD CMMC scoping guidance: CUI asset, security protection asset, contractor risk management asset, or out of scope.
You recognize that a personal device running MDM or MAM that touches CUI is in scope, and likely a contractor risk managed asset that can expand your assessment.
You have evaluated whether mobile access can be designed so CUI never reaches the device, taking the endpoint out of scope entirely.
02 — Protect the data, not just the device
You can demonstrate whether CUI is ever stored, processed, or transmitted on the physical device.
Data moving between the device and enterprise resources is encrypted to FIPS-validated standards.
A lost or stolen device leaves no recoverable CUI behind.
03 — Control access and identity
Multi-factor authentication is enforced for all mobile access to CUI.
Access uses unique user IDs and follows least privilege.
You can revoke a user’s mobile access immediately, without needing the physical device.
04 — Get credit for what you inherit
Any cloud used to process CUI on mobile is FedRAMP Moderate authorized or higher, per 32 CFR Part 170.
You hold a customer responsibility matrix showing which of the 110 controls you inherit from that cloud.
Inherited and shared controls are reflected in your System Security Plan.
05 — Prove it under assessment
Mobile and BYOD are addressed in your policies, acceptable use agreements, and user training.
Incident response and spillage procedures explicitly cover mobile devices.
Audit logs capture mobile access to CUI and are protected from tampering.
Shrink your mobile scope at the source

The fastest way to reduce mobile scope is to keep CUI off the device. Under the CMMC Scoping Guide, VDI is explicitly out of scope — and the DoD CIO Office has confirmed that virtual mobile infrastructure (VMI), the architecture Hypori uses, is equivalent. Hypori keeps CUI off the device entirely, removing it from your assessment boundary by regulatory guidance, not just architectural design.

See how Hypori works →

MDM and MAM vs. virtual mobile infrastructure: what’s the difference for CMMC?

Factor MDM / MAM approach VMI — Hypori
CUI stored on the device Yes No
Device in CMMC scope Yes No
Lost / stolen device risk CUI may be recoverable Nothing to recover
Employee personal data touched Yes — MDM profiles No
Assessment complexity Higher Lower
FedRAMP authorization required Depends on vendor Yes — cloud environment

Frequently asked questions

Any device that accesses, stores, processes, or transmits Controlled Unclassified Information (CUI) is in scope — including personal phones and tablets used for work email, file access, or any government-related application. This includes personal devices, not just company-issued ones.
Yes. A personal device that touches CUI is classified as a contractor risk managed asset under DoD CMMC scoping guidance and must be included in your assessment. The only way to exclude it is to ensure CUI never reaches the physical device.
No. MDM manages and secures a device, but if CUI is still stored or processed on that device, it remains in scope. MDM reduces risk — it doesn't reduce scope.
A contractor risk managed asset (CRMA) is a device that can reach CUI or the CMMC environment but isn't part of the primary security boundary. CRMAs still require documentation and risk acceptance — they're in scope, but managed separately.
The DoD CIO Office has confirmed that VMI is architecturally equivalent to VDI for CMMC scoping. Hypori's VMI architecture keeps CUI in the cloud — nothing is stored, cached, or processed on the physical device.
Yes. Under 32 CFR Part 170, any cloud used to process CUI must be FedRAMP Moderate authorized or higher. When that condition is met, you can inherit controls from that provider and reflect them in your System Security Plan, reducing your own control burden.
The device enters your CMMC assessment boundary. You must classify it, apply relevant NIST 800-171 controls to it, document it in your System Security Plan, and be prepared for your C3PAO to assess it.
Your SSP should identify all devices that access CUI, classify each one per CMMC scoping guidance, describe the controls applied, and document any inherited controls from FedRAMP-authorized cloud services. BYOD and mobile device policies should be referenced as supporting documentation.

Download the printable checklist + implementation worksheet

Get the branded PDF version of this checklist — plus a fillable implementation worksheet to map your device inventory, classify each asset, and assign remediation owners.

  • Printer-ready PDF with all five checklist sections
  • Implementation worksheet with device classification columns
  • Gap identification and owner assignment table
  • Hypori-branded — shareable with your assessment team
Ready to take mobile devices out of CMMC scope entirely?
Talk to a CMMC mobile specialist. We'll map your current mobile posture against these five sections in 30 minutes.