How is the scope of a system under CCSS defined?

Scope is the boundary of what’s being audited.

Anything that interacts with key material is part of the scope of a CCSS trusted environemnt.

In practice, scoping means identifying:

Where keys are generated, stored, accessed, and used

Who can interact with them

What systems or services are involved

During an audit, the scope often gets refined as the auditor asks more detailed questions and learns how things actually work in the system being audited.

A good rule:

If it could impact the key material, it’s in scope.