HomeCMMC FAQsScoping
Scoping — Official DoD FAQ

Are VDI Endpoints In Scope for CMMC Assessments?

💼
Considering VDI to reduce your CMMC scope? Jun Cyber can help design a compliant VDI architecture.
Schedule Free Consultation
Official DoD Answer
Source Source: DoD CIO CMMC FAQs v5 (F-Q1)

An endpoint hosting a VDI client is considered an Out-of-Scope Asset if it is configured to not allow any processing, storage, or transmission of CUI beyond keyboard/video/mouse sent to the VDI client. If the configuration allows the endpoint to process, store, or transmit CUI, the endpoint will be a CUI Asset and is in scope. The VDI must prevent copying, saving, printing, file transfers, and only transmit video, keyboard, and mouse data. Multifactor authentication to the VDI server must be implemented.

In-Depth Analysis

VDI and CMMC Scoping: A Common Question

Virtual Desktop Infrastructure is increasingly popular as a strategy to limit CMMC assessment scope. When configured correctly, VDI can keep endpoints out of scope — but the configuration requirements are strict.

Requirements for Out-of-Scope VDI Endpoints

For an endpoint to be considered out-of-scope, ALL of the following must be true:

  • No copy-paste: Clipboard sharing between VDI session and endpoint must be disabled
  • No file transfers: Drive mapping and file sharing must be blocked
  • No printing: Print redirection must be disabled (or only to CMMC-compliant printers)
  • No screenshots: Screen capture capabilities must be restricted
  • KVM only: The VDI session should only transmit keyboard, video, and mouse data
  • MFA required: Separate multifactor authentication to the VDI server (e.g., hardware token or PKI with PIN)
  • Server-side enforcement: All restrictions must be configured on the server side, not the client

If Any Restriction Fails

If any of these configurations allows CUI to reach the endpoint, the endpoint becomes a CUI Asset and is fully in scope. There is no partial credit — it's either completely isolated or fully in scope.

VDI can be an excellent scoping strategy, but it requires rigorous configuration management. Document your VDI configuration in your SSP and be prepared for assessors to verify these settings.

Have More Questions?

ChatCMMC can answer detailed questions about CMMC compliance, NIST 800-171 controls, assessment preparation, and more — powered by official DoD documentation.

Ask ChatCMMC →

Get Your Free CMMC Readiness Assessment

Find out where your organization stands and what steps you need to take. Jun Cyber's CMMC experts are here to help.

By submitting, you agree to be contacted by Jun Cyber. No spam, ever.

Related Questions

You Might Also Want to Know

Scoping

Can Encryption Alone Create Logical Separation for CMMC?

 Scoping

Must Enterprise Networking Components Outside My Enclave Be in CMMC Scope?

 Assessments

Are CMMC Assessments Required for Classified Systems?
Jun Cyber

Ready to Start Your CMMC Journey?

Jun Cyber helps defense contractors navigate CMMC compliance with confidence. From gap assessments to certification readiness — we've got you covered.

📅 Schedule a Consultation Learn About CMMC Select →