CMMC 2.0 requires all organizations seeking a level 2 certification to clearly specify the category for each asset in their enclave. This can be confusing to organizations unfamiliar with the category definitions so we will attempt to describe the five categories below as well as provide practical examples to clarity:
CUI Assets (Controlled Unclassified Information):
CUI assets are devices that store, process, or transmit data that requires safeguarding or dissemination controls because the data has been marked or otherwise identified as controlled unclassified information (CUI).
Practical Example: A database containing technical specifications for a defense system being developed for the Department of Defense (DoD). Access to this database is restricted due to the controlled nature of the information it contains. The data within the database contains unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry and is categorized as covered defense information (CDI).
Security Protection Assets (SPA):
These are assets that contribute to the protection of the information system by providing security function or capabilities to assets under scope, regardless of storing, transmitting, or processing CUI. SPAs include security mechanisms and features that are essential for maintaining the confidentiality, integrity, and availability of information.
Practical Example: Encryption mechanisms implemented on communication channels and storage devices within the organization’s network to protect sensitive data from unauthorized access, firewalls, and SIEM tools.
Contractor Risk Managed Assets (CRMA):
These are assets that are capable of processing CUI but are not intended to store, process or transmit CUI. The contractor is accepting the risks associated with these devices and the have implemented a mitigation strategy. While CRMA are not required to be physically or logically segregated from CUI assets, physical and logical controls are often employed to mitigate the risk.
Physical Controls can include
- Physical separation of the devices such as storing servers and systems handling in physically separate locations or secure data centers from those containing systems processing or storing CUI
- Restricting physical access to areas housing CRMA via an access control mechanisms
- Implementing surveillance and monitoring systems to monitor and record access
Logical Controls can include
- Network segmentation, to isolate the network containing CRMA from networks handling CUI
- Firewalls to control the flow of traffic between systems handling CRMA and those processing or storing CUI
- Using separate authentication mechanisms for systems accessing CRMA and those handling CUI
- Using different encryption zones for data in transit and data at rest for CRMA and CUI assets
- Implementation of Role-Based Access Controls (RBAC) for both CRMA and CUI systems to ensure that users only have access to the resources and data necessary for their specific roles.
- Using data classification and tagging on CRMA and CUI assets and implementing tagging mechanisms to clearly identify the sensitivity level.
Practical Example: A company identifies that a specific server holds critical intellectual property. The company conducts a risk assessment, implements security controls, and regularly monitors the server to mitigate potential risks and vulnerabilities.
Specialized Assets (SA):
Specialized assets are those that have unique security requirements based on their function, sensitivity, or criticality. These assets may or may not store, process, or transmit CUI. Here are more examples of devices that could be categorized as specialized assets:
Examples of devices that may be considered SA’s include Biometric Access Control Systems, Industrial Control Systems (ICS), Medical Devices with Data Storage, Research and Development Equipment, Telecommunications Equipment, Cryptographic Devices, Laboratory Instruments with Sensitive Data, Point-of-sale (POS) systems, Government Property, and Financial Transaction Systems, ATMs, or other devices involved in financial transactions that require special security considerations.
Practical Example: A research and development facility that houses prototypes of advanced military technology. This facility requires specialized security measures, such as biometric access controls and surveillance systems, due to the sensitivity of the projects. The biometric and surveillance systems could be categorized as SA.
Out-of-Scope Assets:
These are assets that are explicitly excluded from the scope of CMMC requirements, and they are designated as “Out-of-Scope.” These assets do not and cannot store, process, or transmit CUI either due to technical limitations or because the OSC has designated them as not capable of doing so (procedural).
Practical Example: Non-sensitive, public-facing information on the company’s public website that is not involved in processing or storing controlled information. While it may be part of the organization’s overall IT infrastructure, it is considered out of scope for CMMC requirements.