💡 Still using the classic Drata experience? Refer to Marking Requirements In and Out of Scope for the original UI.
Mark framework requirements as In Scope or Out of Scope to ensure your readiness calculations reflect only what applies to your organization. Only in-scope requirements contribute to a framework’s readiness percentage.
Prerequisites
Required Drata role: Admins, Information Security Leads, or Workspace Managers with write access to Frameworks can update requirement scope. This permission allows them to modify requirements and change scope for the frameworks they manage.
Open Framework page
In the left navigation, go to Compliance > Frameworks.
Select a framework to open its detail page.
Use the Requirements table to view all requirements, mapped controls, readiness status, and scope.
Mark Requirements Out of Scope
Use this process when one or more requirements do not apply to your environment, for example, a data center requirement for a cloud-only organization.
Go to Compliance > Frameworks.
Select a framework and scroll to the requirements table.
Filter the table by Scope: In Scope.
To mark a single requirement out of scope, select the ellipsis next to the requirement.
To select multiple requirements:
Select the checkbox in the column header to select all requirements currently visible in the table.
When a requirement is selected, you can choose to select or deselect all visible requirements.
Select Mark Out of Scope.
In the confirmation dialog, review the number of requirements being updated.
Provide a business rationale. This field is required.
Enter a clear explanation for why the selected requirement or requirements do not apply, for example: “We are a fully cloud-hosted SaaS provider and do not manage on-premises infrastructure.”
If multiple requirements are selected, the same rationale is applied to all of them.
Select Confirm.
Drata removes these requirements from readiness calculations and treats them as excluded for the selected framework.
Controls Affected by Scope Changes
When you mark requirements Out of Scope, Drata evaluates controls mapped to those requirements:
If a control is mapped to only one requirement and that requirement is marked Out of Scope, the control is automatically marked Out of Scope.
To review the controls that are mapped to a requirement:
Select the desired requirement.
Navigate to the Controls tab.
Select the control for more information.
Mark Requirements In Scope
Use this process to include requirements in readiness calculations and treat them as applicable to your environment.
In the framework’s Requirements table, filter by Scope: Out of Scope.
Select the requirements to include.
From the table actions, select Mark In Scope.
Confirm the change.
After requirements are marked In Scope:
They are included in framework readiness calculations.
Controls mapped to those requirements are re-evaluated for scope based on all mapped, in-scope requirements.
How Requirement Scope Affects Framework Readiness
Requirement scope directly impacts both readiness and control scope:
Only in-scope requirements count toward a framework’s readiness percentage.
A control is considered in scope if it is mapped to at least one in-scope requirement.
If all requirements mapped to a control are marked Out of Scope, the control is marked Out of Scope.
This alignment between requirements and controls helps maintain consistency across frameworks, controls, and audit evidence.