Physical and logical locations
All tangible sites and intangible digital spaces where CUI is stored, processed, or transmitted, to ensure its proper protection throughout its lifecycle.
What are physical and virtual locations?
This type of environment, typically an office setting, has an asset inventory that comprises laptops, mobile devices, network devices, and servers.
What is a professional environment?
In multi-site environments, ensuring secure communication over untrusted networks is vital. This solution establishes encrypted pathways, allowing remote users to access internal resources as if they were on-site.
What are Virtual Private Network (VPN) tunnels?
When OSCs implement VPN solutions for cloud access, assessors must verify that cryptographic modules meet this specific federal standard validation. The certification number and algorithm details become mandatory evidence artifacts for AC.L2-3.1.13 compliance.
What is FIPS 140-2 validation?
These third-party service arrangements create environmental constraints when external providers maintain equipment that processes organizational CUI on-premises.
What are managed IT service contracts?
This refers to any tangible space/item where an organization’s hardware, software, and data reside and require specific security measures to protect against unauthorized access and environmental threats.
What is a physical location?
In an industrial control system, this practice mandates documenting every PLC, sensor, HMI, and embedded firmware version, including its physical location on the plant floor and associated control process, then updating it whenever a device is replaced.
What is system baselining in Industrial environment?
These are systems that an OSC doesn’t directly manage or control, but must still identify, verify, and restrict according to AC.L2-3.1.20 due to their connection or interaction with the OSC’s environment.
What are external systems?
In IaaS environments where OSCs cannot access hypervisor-level logs, assessors face this fundamental challenge when evaluating monitoring capabilities.
What is limited infrastructure visibility/control?
These network-isolated segments can be excluded from CMMC scope if assessors confirm that software controls—such as firewall rules and VLAN configurations—effectively prevent any CUI data from flowing across shared infrastructure.
What are logically separated networks (or isolated VLANs)?
This refers to the non-physical/tangible spaces where data is processed, stored or transmitted and requires particular security measures to protect against unauthorized access and data breaches.
What is a logical location?
Updating network controls to restrict communication between a manufacturing plant's supervisory control systems and its corporate enterprise network directly reinforces the layered segmentation prescribed by this prominent industrial security model.
What is Purdue Model segmentation?
According to CMMC practice PE.L2-3.10.6, these off-site locations must be secured with measures like document protection, device encryption, and secure network access when handling CUI, as they are considered extensions of the organization’s enterprise environment.
What are alternative work sites?
In hybrid environments, assessors look for these network segmentation methods—enforced with traffic flow logs and firewall rules—to ensure CUI systems are isolated between on-premises and cloud components, allowing only essential communication.
What are VLANs/subnets with controlled gateways?
These endpoint devices can be excluded from CMMC scope only when configured to transmit solely keyboard, video, and mouse signals without local CUI processing capability. Any additional functionality that enables data storage or processing invalidates the exclusion and requires full assessment coverage.
What are VDI client terminals (or virtual desktop thin clients)?
This specific type of visualization tool, crucial for understanding system architecture in CMMC's physical locations, details how information flows within tangible spaces by showing the users, processes, tools, and hardware engaged in CUI movement.
What is a physical data flow diagram?
In both professional and industrial environments, this essential schematic depicts all interconnected nodes and their relationships, graphically illustrating how an organization's network is segregated and how sensitive assets, including CUI enclaves, are logically isolated for protection.
What is a Network Diagram?
For CMMC assessors evaluating AC.L2-3.1.12, the requirement to gather and confirm consistent remote access controls and monitoring across separate, physically dispersed locations poses an inherent evidence collection challenge rooted in this type of operational environment.
What are multi-site environmental constraints?
When CUI has territorial restrictions, assessors require evidence that cloud services are configured to comply with these requirements—especially in multi-region environments where geographic boundary controls must be enforced.
What are data residency configurations?
These challenges arise for assessors when multiple organizations share physical infrastructure—such as power, cooling, and rack space—making it difficult to validate security boundaries and assign responsibility for physical protection and environmental controls.
What are multi-tenant facility challenges?
This comprehensive visual representation illustrates the high-level architecture of an organization's technological infrastructure, detailing the interconnectedness and functional relationships between its various physical components and virtual elements.
What is a system diagram?
This environment utilizes programmable systems and devices that affect the physical world, referred to as Operational Technology (OT) among other specialized assets.
What are industrial environments?
To thwart session hijacking or unauthorized access to unattended systems, this CMMC control mandates the automatic ending of communication sessions on both internal and external networks, either immediately upon logout or following a set period of user idleness.
What is network connections termination?
Assessors require this type of documentation from cloud service providers to determine which security controls are inherited versus those requiring OSC implementation. This artifact becomes critical when evaluating shared responsibility models for CMMC compliance.
What is a Shared Responsibility Matrix?
When cybersecurity consultants, managed service providers, and enterprise network administrators operate from remote locations but maintain administrative access to organizational CUI systems, assessors face these specific challenges in scope determination. Their physical absence from OSC facilities doesn't eliminate their classification as security protection assets requiring inclusion in personnel inventories and access control evaluations.
What are environmental constraints related to offsite security protection personnel?