Asset categorization
Do not process, store, or transmit FCI. Outside of the CMMC Self-Assessment Scope and should not be part of the CMMC self-assessment.
What is Out-of-Scope Assets?
32 CFR 170.19(c)(1), require assessment against all applicable NIST SP 800-171 Rev 2 security requirements, but assessors must document specific justification when determining that certain requirements are "not applicable" rather than simply marking them as such.
What is CUI Assets?
Set of assets and systems that an assessor will evaluate for compliance with CMMC practices, marking the exact portion of the environment to which certification applies.
What is the CMMC Certification Boundary?
Mechanism that identifies the person(s) or team(s) in the OSC or the ESP responsible for the implementation and sustainment of the technical controls, as reflected in the terms of service between the ESP as provider and the OSC as customer
What is the Customer Responsibility Matrix/Shared Responsibility Matrix?
Include hardware and/or associated IT components used in the testing of products, system components, and contract deliverables (e.g., oscilloscopes, spectrum analyzers, power meters, and special test equipment).
What is Test Equipment?
• Process – FCI can be used by an asset (e.g., accessed, entered, edited, generated, manipulated, or printed).
• Store – FCI is inactive or at rest on an asset (e.g., located on electronic media, in system component memory, or in physical format such as paper documents).
• Transmit – FCI is being transferred from one asset to another asset (e.g., data in transit using physical or digital transport methods).
What are FCI Assets?
During a CMMC Level 2 assessment, the assessor should first review the System Security Plan (SSP) to confirm that the asset is documented sufficiently; if policies and procedures raise no concerns, no further requirements are evaluated. If the OSA’s risk-based policies, procedures, or other findings raise questions about that asset, the assessor may perform a limited check—ensuring it does not materially extend assessment duration or cost—against applicable CMMC security requirements.
What is the assessment considerations for a Contractor Risk Managed Assets (CRMA)?
Information systems, organization components, and environment where sensitive FCI or CUI data is stored, processed, or handled, defining the area subject to CMMC requirements and establishing scope for protection against threats and emerging vulnerabilities.
What is a Security Boundary (or Assessment Boundary)?
Contractual documents define service types and standards between providers and customers, and may include Shared Responsibility Matrix details, though large CSPs typically provide standard Terms & Conditions instead.
What are Service Level Agreements?
Included systems [and associated Information Technology (IT) components comprising the system] that are configured based on government requirements (i.e., connected to something that was required to support a functional requirement) and are used to support a contract (e.g., fielded systems, obsolete systems, and product deliverable replicas).
What is Restricted Information Systems?
Can, but are not intended to, process, store, or transmit CUI because of security policy, procedures and practices in place. Nor required to be physically or logically separated from CUI assets.
What is Contractor Risk Managed Assets (CRMAs)?
Must be captured in the organization’s asset inventory, be fully detailed in the SSP—demonstrating management under the contractor’s risk-based security policies, procedures, and practices—be shown on the network diagram of the CMMC Assessment Scope, and, once the SSP is reviewed, not be evaluated against other CMMC security requirements unless documentation or findings raise concerns.
What is the CMMC Assessment and documentation requirements of specialized assets?
Physically connected through wired or wireless connections, but software configurations like firewalls and VLANs prevent data from flowing along the physical connection path between CUI and non-CUI environments.
What is Logical Separation?
Planning step involves reviewing certifications like ISO 27001, FedRAMP, or SOC 2 to potentially reduce redundant cybersecurity assessments, though these frameworks currently do not grant any formal credit toward CMMC certification without DoD guidance.
What is non-duplication?
Manufacturing systems, industrial control systems (ICS), or supervisory control and data acquisition (SCADA) systems. OT may include programmable logic controllers (PLCs), computerized numerical control (CNC) devices, machine controllers, fabricators, assemblers, and machining.
What is OT?
Provide security functions or capabilities to the contractor's CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI.
What is Security Protection Assets?
Requires assessors to verify complete "physical or logical separation" and prove "no administrative connection" to any in-scope assets, with the burden of proof requiring demonstration that the asset "cannot impact CUI security" through any conceivable attack vector.
What is Out of Scope Assets?
Method of separation is characterized by a complete lack of wired or wireless connections between assets, requiring manual data transfers like USB drives and physical safeguards such as gates, locks, badge access, and security personnel.
What is Physical Separation?
CMMC-term encompasses security-relevant information including configuration data, SIEM logs, vulnerability status data, and access passwords, which can be stored in hot storage collocated with Security Protection Assets or in cold storage offline or cloud-based, with aggregated logs from tools like firewalls and intrusion detection systems being processed by SPAs within the assessment scope.
What is Security Protection Data (SPD)?
Interconnected devices having physical or virtual representation in the digital world, sensing/actuation capability, and programmability features. They are uniquely identifiable and may include smart electric grids, lighting, heating, air conditioning, and fire and smoke detectors [Reference: iot.ieee.org/definition; National Institute of Standards and Technology (NIST) 800-183].
What is IoT or Industrial Internet of Things (IIoT)?
Ranging from government-furnished equipment built to specific configurations to various test equipment such as oscilloscopes or spectrum analyzers—must be documented in the System Security Plan and managed under risk-based security policies to be included within the CMMC Level 2 assessment scope.
What is specialized assets?
Table 3 to § 170.19(c)(1) defines these as assets that "provide security services to protect CUI Assets" but do not directly process CUI, yet they must be assessed against "applicable NIST SP 800-171 Rev 2 security requirements," creating a unique assessment challenge where protective capability rather than data handling determines scope.
What is Security Protection Assets?
Under CMMC scoping, this architectural design concept ensures physical or logical isolation of CUI-processing assets from non-CUI assets, helping limit the scope of security requirements per NIST SP 800-171 Rev. 2.
What is Security Domain Separation?
Include those used for staff augmentation providers using the OSA's systems, non-CSP ESPs and CSPs that do not handle CUI and therefore are not required to meet FedRAMP requirements under DFARS clause 252.204-7012, though their services remain within the OSA's assessment scope.
What is ESPs that aren't in scope of a CMMC L2 assessment?
All property owned or leased by the government. Government property includes both government-furnished and contractor-acquired property. Government property includes material, equipment, special tooling, special test equipment, and real property. Government property does not include intellectual property or software [Reference: Federal Acquisition Regulation (FAR) 52.245-1].
What is Government Property/