TL;DR; My mean maintains a web application that may be expected to store CUI at some point in the future. I'm the engineering manager for the web application project. The individual leading the charge on our CMMC compliance efforts is grasping at straws for a way that we can provide a solution that doesn't require the client device accessing our web application to be in-scope, but I believe that is most definitely a nonsense request. What say the experts?

Hi! I'm the manager of a small software team that maintains a very "mature" (you can interpret that as meaning old) web application which customers use to manage various types of documents and business records. We have a need arising to store information, such as network diagrams, system security plans, evidence and artifacts, related to CMMC compliance in the future.

Now our software has a very long road ahead to be NIST 800-171 or CMMC compliant. I need to be realistic with my company leadership about what we can deliver and what we can promise our customers at the end of that road. The individual leading the charge on our company's CMMC efforts would really like for our SaaS product to provide a viable solution for managing the customer's compliance efforts in a way that doesn't bring the client device they access our service with into scope. I believe that's simply not possible, and here's why I believe that.

We provide a SaaS web application and that means our application is delivered via web browser, also known as an HTTP/HTTP client. HTTP/HTTPS is essentially a protocol for requesting files/resources from a remote server. It downloads the resource, generally caches it into a local file, and then does something with it (displays it, generally). By the very nature of HTTP/HTTP and how browsers operate, I think it immediately brings the device running the browser into scope if the customer uses our system to store CUI. I don't see any way around that.

From what I read online, customers that store CUI in SharePoint GCCH need to treat their devices accessing SharePoint the same way.

I'm a web developer, not a NIST 800-171 nor CMMC expert, so I may simply not know what I don't know here. Any clarification you could provide would be helpful.