This started as a "simple" exploration of creating a VLAN for out-of-scope assets so that we could reduce our CMMC footprint. Specifically, according to the CMMC Level 2 Scoping Guide, an Out-Of-Scope Asset is "required to be physically or logically separated from CUI assets". Separation is described elsewhere in the guide in a manner that makes clear that "physical" = airgap and "logical" = firewalls/VLANs.

So if I put my Out-Of-Scope Assets in an isolated VLAN with routing/firewall rules that prevent access to CUI assets, the OOSA are truly out of scope.

But if I take a laptop with CUI on it and temporarily connect to the isolated VLAN, are the assets on that VLAN suddenly in-scope? It seems like it.

What if I carry that laptop with me on a trip and connect it to a hotel wifi, or friend's wired home LAN? Even though the laptop's storage is FIPS-encrypted and any CUI it transmits will be sent over a VPN to the office, the laptop is still on the same network segment as a bunch of uncontrolled computers. How is that different?

One possible answer is if the laptop (let's suppose Windows) has a local firewall that disallows all inbound connections unless it's on a domain network. Would that qualify as "logical separation" enough?