Security Protection Asset
Also known as: SPA
A Security Protection Asset (SPA) is a system that provides a security function to the CUI environment even if it never stores, processes, or transmits CUI itself, for example a SIEM, an MFA provider, or a VPN concentrator. SPAs are in scope for a CMMC Level 2 assessment and are assessed against the requirements relevant to the protection they provide.
Related terms
- Assessment Scope
The assessment scope (also called the boundary) is the set of assets, people, technology, facilities, external service providers, that process, store, or transmit FCI or CUI and therefore must meet the applicable CMMC requirements. Drawing the smallest defensible scope is the highest-leverage decision in a CMMC project.
- Contractor Risk Managed Asset
A Contractor Risk Managed Asset (CRMA) is an asset that can, but is not intended to, handle CUI, and that the contractor chooses to manage with policies and practices rather than full technical implementation of every requirement. CRMAs are in scope for CMMC Level 2 but are assessed against the contractor's own risk-based policies, and are documented in the System Security Plan.
- Specialized Asset
A Specialized Asset is a category of in-scope CMMC Level 2 asset that cannot fully meet the requirements, including government furnished equipment, Internet of Things and operational technology devices, restricted information systems, and test equipment. Specialized Assets are managed through the System Security Plan and risk-based decisions rather than assessed against every requirement.
- CMMC Level 2
CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization.