CMMC Assessment Asset Categorization

Before a CMMC assessment can take place, the assessed organization must specify the assets within the CMMC system according to the asset categories specified by the CMMC Assessment Scoping Guides. In general, CMMC assets are categorized by those assets within the scope of assessment and those outside the scope of assessment. However, the specific asset categories not only inform which assets are within the assessed environment but also the details of how they are to be assessed.

CMMC assets are treated very differently in the different levels of CMMC assessments. This article describes the CMMC treatment of assets at assessment level 1.

CMMC Level 1 Self-Assessment Assets

There are three asset categories defined for CMMC level 1 self-assessments. These categories are FCI assets, out-of-scope assets, and specialized assets.

In-scope assets within a CMMC level 1 self-assessment are defined as FCI Assets.

• FCI Assets – Assets that directly process, store, or transmit FCI? data, such that,

Process –FCI is processed within a system if it is accessed, entered, edited, generated, manipulated, or printed by the asset;

Storage – FCI is stored within a system if is inactive or at rest on the asset. For example, stored on electronic media, stored in system component memory, or printed on paper documents; and

Transmit - FCI is processed within a system if it is transferred from one asset to another. For example, technical transmission protocols, or physical delivery methods.

These are the only assets that are within the scope of the CMMC level 1 self-assessment. These requirements are assessed against all 15 CMMC level 1 requirements.

There are two other asset categories defined within the CMMC Self-Assessment Scope: out-of-scope assets, and specialized assets. Both are outside of the CMMC level 1 self-assessment scope and are not assessed against any CMMC requirements.

• Out-of-Scope Assets - Assets that do not process, store, or transmit FCI. These assets are considered outside of the CMMC assessment scope. There are no documentation requirements on these assets and because these assets are out-of-scope there are no CMMC requirements on these assets.
• Specialized Assets – These are special case assets that may process, store, or transmit FCI data but are treated as out of scope. There are five special case classes of specialized assets described in the CMMC scoping guidance. Specialized assets for Level 1 CMMC self-assessments do not need to be assessed against CMMC requirements.

o?? Government Furnished Equipment (GFE) – all property owned or leased by the government. This includes government-furnished property and contractor-acquired property if the contractor acquired the property as a deliverable under a cost contract. Examples of government property include material, equipment, special tooling, special test equipment, and real property but not intellectual property or software.

o??Internet of Things (IoT) or Industrial Internet of Things (IIoT) – Interconnected network of devices containing the hardware, software, firmware, sensors and actuators with sensing/actuation capability, and programming features. ?These are small uniquely identifiable devices connected to larger infrastructures for sensing, communicating, or actuating system components and component states. Examples include sensors (motion, noise volume, temperature, smoke), communicators o?? (e.g., human to machine, machine to machine, machine to human), and actuators (physical access control, valves, lights, cooling fans).

o?? Operational Technology (OT) – OT is the use of a computer or software to detect a change (e.g., float valve) or control a machine to perform a mechanical task (e.g., open a valve). This includes any hardware or software that uses direct monitoring and control of industrial equipment to detect the current state, changes, or causes of changes. These systems or devices are used within manufacturing, building management, fire control, physical access control, industrial control systems (ICS), and supervisory control and data acquisition (SCADA) systems to detect or cause changes through the monitoring and control of devices, processes, and events. OT technology includes programmable logic controllers (PLCs), Intelligent Electronic Devices (IEDs), Remote Terminal Units (RTUs), sensors, actuators, and machine controllers.

o?? Restricted Information Systems (RIS) – include any devices or information technology (IT) components that are configured based entirely on government requirements and used to support a government contract. For example, systems connected to the FBI’s Criminal Justice Information System (CJIS) would have to be configured to meet CJIS requirements.

o?? Test Equipment – hardware and associated components used for the testing of contract deliverables, products, or system components. Examples include special test equipment, spectrum analyzers, power meters, and oscilloscopes.

The assignment of assets within the CMMC environment at level 1 is rather simple. System assets either store, process, or transmit FCI (making them FCI assets) or do not (making them out of scope). The organization is required to define which assets will be assessed, but the CMMC scoping guidance does not specify how this definition is to be completed. Although not required at CMMC level 1, an asset inventory and a network diagram is an efficient and effective method of identifying in scope assets.

This is multi-part article covering the CMMC Assessment Preparation. The passage was taken from Chapter 3 of the CMMC Assessment Handbook and abbreviated. For more information DM me or contact Lantego at 512 633-8405. www.lantego.com