What "your environment" means in the CMMC world, why it's the single biggest cost driver in your assessment, and how to think about the shape of yours.
"Your environment" is shorthand for the IT systems, applications, devices, networks, and people that make up where you do your work. It's everything CUI might touch — and everything that touches anything that touches CUI.
For CMMC purposes, what matters most isn't the totality of your environment. It's the authorization boundary — the line drawn around the parts of your environment that handle CUI. Everything inside the boundary is in scope for the assessment. Everything outside is excluded, provided you can show it has no path to CUI.
Here's the part most contractors miss: the bulk of CMMC cost isn't in implementing the 110 controls themselves. It's in how widely those controls have to apply. A clean, well-defined boundary covering twenty endpoints and one cloud tenant is dramatically cheaper to certify than a sprawling boundary covering a hundred endpoints, three clouds, and a partially-segmented on-prem network.
The shape of your environment determines how much CMMC will cost you — far more than which assessor you pick or which platform you use. Smaller, well-defined boundary = less cost. Sprawling, undefined boundary = much more.
Most small defense contractors fall into one of four shapes. Identifying which shape you're closest to is the first step in scoping your CMMC effort honestly.
Most work happens in the browser.
All CUI lives in a cloud productivity suite — typically Microsoft 365 (GCC High), occasionally Google Workspace. Laptops connect to the cloud directly. There's no on-prem file server, no internal app servers, no shop floor. Common for software shops, services contractors, consulting firms.
Servers, CAD workstations, shop-floor terminals.
A traditional manufacturer or fabricator: on-prem Active Directory, file shares, CAD/CAM workstations, ERP system, and shop-floor terminals. Email might be in M365 Commercial, but the real work happens behind the office firewall. Common for machine shops, fabricators, electronics assembly.
Some cloud, some on-prem, accumulated over years.
M365 for productivity, on-prem for legacy ERP and engineering tools, maybe AWS or Azure for one-off projects, plus a half-dozen SaaS apps the team picked up. The most common shape — and the hardest to scope. Data flows everywhere because no one ever drew a clean line.
CUI work happens inside a vendor's environment.
You took the migration route — your CUI work happens inside a vendor-managed compliance environment (ATX Defense, Summit 7, PreVeil, or similar). Your commercial tenant handles non-CUI work. Most controls are inherited from the vendor's authorization.
The honest fifth shape is "mixed/accidental sprawl" — CUI in OneDrive on a personal laptop, copies on a shared drive nobody owns, attached to emails sent to home addresses. If that's where you are, the first step isn't choosing an archetype — it's finding and containing your CUI before drawing any boundary at all.
If you use Microsoft 365 (and most defense contractors do, in some form), you'll run into the question of which tenant tier you need. This is where many small contractors get stuck — and where the wrong choice leads to either compliance failure or unnecessary expense. Three tiers worth knowing:
A few practical things to know: migrating from Commercial to GCC or GCC High is a significant project — not a flip of a switch. GCC High licensing is roughly 2× Commercial pricing, before migration costs. And if you're between contracts but expect CUI work in the next 12 months, factor that into your tenant decision before signing anything.
M365 isn't the only stack. Here's a quick orientation to other common tools and where the compliance questions live for each.
Standard Google Workspace doesn't meet CUI handling requirements. There's a FedRAMP-equivalent variant (Google Workspace for Government / Assured Workloads) that does — but it's a separate procurement and migration. If your team uses Google Workspace today and you're heading to CMMC Level 2, you'll need to either migrate to the government variant, move CUI work to a different platform, or use a managed enclave.
If any of your CUI lives in AWS — through your own application, a hosted SaaS, or specific stored files — the question is which AWS region. AWS Commercial regions don't meet the bar for CUI on their own. AWS GovCloud (US) does. The two are isolated environments with different accounts, different billing, and different operational practices.
Tools like Onshape, Autodesk Fusion 360 cloud, or PTC Windchill often handle the most sensitive CUI you have — engineering drawings and technical specifications. Most cloud CAD tools are NOT FedRAMP-equivalent. If you use them, you'll either need to move CAD work to an on-prem or compliant tool, or treat the cloud CAD vendor as an ESP and document the relationship carefully.
ERPs often handle procurement and contract data — frequently CUI. Cloud ERP vendors vary in their compliance posture. Some have GovCloud-equivalent offerings; many don't. If your ERP holds CUI, treat it as in-scope and verify the vendor's compliance status before assuming anything.
If a third party administers your IT, they're an External Service Provider (ESP) under CMMC. You need a Customer Responsibility Matrix (CRM) documenting which controls they handle and which you handle. Your MSP's personnel may be interviewed during your assessment. This is one of the most under-prepared areas for small contractors.
The reason CMMC consultants charge what they do isn't because the controls are exotic — it's because every control has to be implemented and documented in your specific environment. The shape of your environment is the multiplier.
A clean cloud-forward environment with a small CUI footprint might involve documenting 30–40 systems and producing one CRM. A sprawling hybrid environment with multiple clouds, legacy on-prem, and ad-hoc SaaS adoption might involve 100+ systems, three different CRMs, and weeks of data-flow tracing. Same 110 controls, dramatically different effort.
If you go the managed-enclave route, you generally need to move all CUI work into the enclave. Half-measures don't reduce scope much — if your existing environment still touches CUI in any way, it's still in scope. The enclave's value comes from being the entire CUI environment, not part of it.
Most small contractors have an MSP or IT provider. Few have a Customer Responsibility Matrix documenting what the MSP does and doesn't handle. CMMC assessors will ask. ESPs without CRMs become an audit finding and a scramble during assessment week.
You don't have to change your environment to benefit from understanding it clearly. Even staying in your current shape, knowing where CUI flows, what's connected to what, and where the boundary should be drawn is the foundation that makes everything else easier — your SSP, your POA&M, your assessor interviews.
Three things, in order.
Inventory your systems honestly. Cloud tenants, on-prem servers, endpoints, SaaS apps, the MSP, the contracted IT person. Don't filter for what's "in scope" yet — that comes later. The first goal is just an accurate map.
Trace the path of CUI from where it enters your environment (probably email or a customer portal) to where it lives (file shares, CAD systems, ERP) to where it leaves (deliverables, secure transmissions). Wherever CUI passes through, that system is in scope.
Now you can think about scope. Often the cheapest path is to shrink the boundary — move CUI work into a smaller, defined area (an enclave, a specific tenant, a segmented part of your network) rather than certifying everything you have. Sometimes the cheapest path is the opposite — accept a wider scope and document what you have. The right choice depends on the shape you started with.
Baseline's interview asks the right questions about your environment, then maps your answers to a clean CMMC scope and a draft SSP. No guessing about boundaries, no $30,000 consultant.