CMMC NUGGET #2

Properly Categorizing Your Assets

Definition: Assets that store, process, or transmit Controlled Unclassified Information.
These are the primary focus of your CMMC Level 2 assessment. All 110 NIST SP 800-171 controls apply to these assets and the systems that support them.

What this includes:

• File servers and network shares containing CUI
• Workstations used to create, access, or modify CUI
• Email systems through which CUI is transmitted
• Collaboration platforms (Teams, SharePoint, etc.) where CUI is stored or shared
• Cloud storage or SaaS applications processing CUI

Practical Tip: Trace CUI from the point it enters your organization, whether through email, portals, file transfers, or verbal discussions, and follow it to every system it touches. Every system on that path is a candidate CUI Asset.

Definition: Assets that provide security functions or capabilities protecting CUI assets, regardless of whether they process CUI themselves. SPAs are in scope for assessment because compromising them could undermine the protection of CUI assets, even if they never directly touch CUI.

What this includes:

• Firewalls and network security appliances
• Intrusion detection/prevention systems (IDS/IPS)
• Identity and access management (IAM) systems
• Security Information and Event Management (SIEM) tools
• Endpoint detection and response (EDR) platforms
• Patch management and vulnerability scanning tools
• Multi-factor authentication (MFA) systems

Key Point: The DoD scoping guidance uses the word irrespective, SPAs are in scope irrespective of whether they process, store, or transmit CUI. If an asset provides a security function for your CUI environment, it is an SPA and must be included in your assessment scope.

Definition: Assets that are capable of reaching or communicating with CUI assets but are not intended to process, store, or transmit CUI, and have controls in place to prevent CUI contact. CRMAs occupy the most nuanced position in the scoping framework. The organization is explicitly accepting the residual risk of these devices remaining connected to the environment and has implemented a documented mitigation strategy.

What this includes:

1. Employee laptops on the corporate network that are not used to access CUI
2. Printers or shared workstations that have network connectivity but no authorized CUI access
3. IoT devices with network presence but no pathway to CUI systems

Critical Clarification: A CRMA is not simply “a device we don’t think handles CUI.” It is a device that could reach CUI assets but has documented, implemented practices preventing that from happening. Those practices must be real and verifiable, not just stated in policy. Common practices include:

• Logical separation: Network segmentation, VLANs, or access control lists preventing the CRMA from reaching CUI systems
• Access controls: Authentication requirements ensuring only authorized users can access the CRMA
• Monitoring: Logging and alerting to detect any unauthorized attempt to reach CUI from the CRMA
• Sanitizing: Documenting the process for handling, responding to, and removing CUI on CRMAs should it land there

Assessor Reality Check: If a CRMA has no meaningful controls preventing CUI contact, assessors will reclassify it as a CUI Asset. “We don’t intend for it to access CUI” is not a control, it is a hope. Document your controls and be prepared to demonstrate them.

Definition: Assets that may touch or interact with CUI but cannot be fully secured to meet all CMMC requirements due to their technical nature or operational constraints. This category exists because some technology simply cannot implement standard security controls, and CMMC acknowledges this reality rather than requiring the impossible.

What this includes:

• Operational Technology (OT) and Industrial Control Systems (ICS): Manufacturing equipment, SCADA systems, PLCs
• Internet of Things (IoT) devices: Smart sensors, building management systems, connected lab equipment
• Government Furnished Equipment (GFE): Equipment owned by and returned to the government
• Test equipment: Specialized measurement or calibration equipment with embedded operating systems

What “specialized treatment” means in practice: Specialized Assets must still be documented in your SSP, assessed for the risks they introduce, and protected through compensating controls where standard controls cannot be applied. The assessment objective is not to exempt them from attention; it is to demonstrate that you have acknowledged their limitations and actively managed the associated risk.

Common Mistake: Listing general-purpose workstations or servers as Specialized Assets to reduce scope. This does not hold up during assessment. The SA category is for assets with genuine technical limitations preventing standard control implementation. It is not for assets that are simply inconvenient to secure.

Definition: Assets that have no pathway to CUI (physically and/or logically separated from the CUI environment) and are therefore excluded from the CMMC assessment.

What this requires: Out-of-scope designation is not self-declared without evidence. Assessors will look for documentation demonstrating that the asset has no realistic pathway to CUI. Separation must be either:

• Physical: The asset is on separate infrastructure, not shared hardware or storage
• Logical: Network controls, access controls, and system configurations prevent any connection to CUI assets

What this includes (when properly separated):

• Public-facing web servers with no connection to internal CUI systems
• Standalone business systems (HR, payroll, marketing) on a fully separate network segment with no CUI contact
• Guest Wi-Fi networks with complete isolation from the CUI environment

Assessor Reality Check: A marketing workstation on a flat network, even one that “isn’t supposed to” access CUI, is almost certainly in scope. Physical and/or logical separation must be real, documented, and verifiable. An out-of-scope claim without supporting network diagrams and access control evidence will not survive assessment scrutiny.

Step 1: Map your CUI flows first. Before categorizing assets, understand where CUI enters, moves through, and exits your environment. Every system on that path is a candidate for CUI Asset or SPA designation.

Step 2: Build an asset inventory. You cannot categorize what you haven’t identified. Maintain a current inventory of all hardware, software, and cloud services in your environment. This is also required by CM.L2-3.4.1.

Step 3: Apply categories deliberately. Work through each asset against the five definitions. When in doubt, categorize conservatively — it is easier to demonstrate to an assessor why you expanded scope than why you contracted it.

Step 4: Document your rationale. Your System Security Plan (SSP) must describe your assessment boundary and the rationale for each categorization decision. “We categorized this asset as CRMA because…” with supporting evidence of controls is what assessors expect to see.

Step 5: Revisit categorization when your environment changes. New contracts, new systems, new vendors, acquisitions, or significant network changes can all affect asset categorization. Build a review trigger into your change management process (CM.L2-3.4.3).

Assessors evaluate asset categorization by reviewing your SSP boundary description, network diagrams, and asset inventory, and then comparing them to your actual environment. Key questions they ask:

• Does the documented boundary match the physical and logical reality?
• Are there assets present that aren’t accounted for in the SSP?
• Do CRMA designations have real, implemented controls supporting them?
• Are Specialized Asset designations technically justified?
• Are out-of-scope claims supported by network diagrams and access control evidence?

Remember: You propose the boundary. Assessors can and will challenge it.