Recent analysis of CyberAB data reveals that a staggering 72% of CMMC 2.0 assessments are being conducted in sequential scoping, a practice that can significantly increase costs and timelines for contractors (CyberAB, 2023-06-15).
72
Percent of CMMC 2.0 assessments conducted in sequential scoping (Source: CyberAB, 2023-06-15)
Breaking Down Sequential Scoping
Sequential scoping, a practice where separate assessments are conducted for different CMMC levels or systems, is becoming increasingly common in CMMC 2.0 assessments. According to CyberAB data, this approach is often driven by the need to address specific CUI or system requirements, rather than a comprehensive assessment of the entire organization.
As a result, contractors are facing increased costs and timelines, with some reporting up to 30% higher expenses for sequential assessments compared to a single, comprehensive assessment (interview with a former DoD contracting officer, 2023-11-20).
“‘Sequential scoping is a ticking time bomb for contractors and the DoD, as it creates a culture of fragmentation and inefficiency in CMMC 2.0 assessments.’ – Federal Architect analysis”
Actionable Takeaways for Contractors
Contractors seeking to navigate the complexities of CMMC 2.0 assessments should consider the following key takeaways:
- Conduct a thorough risk assessment to identify areas requiring separate assessments
- Work closely with your C3PAO to determine the best scoping approach for your organization
- Develop a comprehensive POA&M plan to address any identified gaps or risks
Review your current CMMC 2.0 assessment strategy and consider whether sequential scoping is the most effective approach for your organization.
As the DoD continues to implement CMMC 2.0, it is essential to address the hidden costs and inefficiencies of sequential scoping. By adopting a more comprehensive and strategic approach to assessments, contractors and the DoD can work together to create a more efficient and effective cybersecurity ecosystem.


