IE if we had had internal website with things like time clocks, holiday bookings etc. On this internal site is also a folder request tool that all access requests must flow throw. Approval is sent to folder owner, IT actions.

This would be roughly the procedure for permission change, but if that internal website is not defined in my CUI enclave scope, should I even be defining it? Would this cause an assessor to want to the consider the internal website as part of an assessment? Would I then need to classify it as a CRMA within the SSP?

I guess what I'm asking is where do you draw the line for an environment definition?