Specialized Asset
A Specialized Asset is a category of in-scope CMMC Level 2 asset that cannot fully meet the requirements, including government furnished equipment, Internet of Things and operational technology devices, restricted information systems, and test equipment. Specialized Assets are managed through the System Security Plan and risk-based decisions rather than assessed against every requirement.
Related terms
- Assessment Scope
The assessment scope (also called the boundary) is the set of assets, people, technology, facilities, external service providers, that process, store, or transmit FCI or CUI and therefore must meet the applicable CMMC requirements. Drawing the smallest defensible scope is the highest-leverage decision in a CMMC project.
- Security Protection Asset
A Security Protection Asset (SPA) is a system that provides a security function to the CUI environment even if it never stores, processes, or transmits CUI itself, for example a SIEM, an MFA provider, or a VPN concentrator. SPAs are in scope for a CMMC Level 2 assessment and are assessed against the requirements relevant to the protection they provide.
- Contractor Risk Managed Asset
A Contractor Risk Managed Asset (CRMA) is an asset that can, but is not intended to, handle CUI, and that the contractor chooses to manage with policies and practices rather than full technical implementation of every requirement. CRMAs are in scope for CMMC Level 2 but are assessed against the contractor's own risk-based policies, and are documented in the System Security Plan.
- System Security Plan
A System Security Plan (SSP) is the written document that describes the boundary of a contractor's information system, the security controls implemented to protect it, and how each applicable requirement is satisfied. NIST SP 800-171 control 3.12.4 requires an SSP at Level 2; at Level 1 an SSP is not regulation-required but is considered a best-practice evidence artifact.