← Custodia
Definition

Security Protection Asset

Also known as: SPA

A Security Protection Asset (SPA) is a system that provides a security function to the CUI environment even if it never stores, processes, or transmits CUI itself, for example a SIEM, an MFA provider, or a VPN concentrator. SPAs are in scope for a CMMC Level 2 assessment and are assessed against the requirements relevant to the protection they provide.

Primary source
CMMC Level 2 Scoping Guide v2.13 (DoD CIO)

Related terms

Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)