Understanding CMMC Asset Scoping RequirementsBefore conducting aCMMC Level 2 Assessment, anOrganization Seeking Certification (OSC)must define theassessment scopeby categorizing all assets. This ensures that only relevant systems are assessed againstCMMC practices, reducing unnecessary compliance burdens.
According to theCMMC Scoping Guide for Level 2, there are four asset categories:
CUI Assets– Assets that process, store, or transmitControlled Unclassified Information (CUI).
Security Protection Assets (SPA)– Assets that providesecurity functions(e.g., firewalls, intrusion detection systems, identity management systems).
Contractor Risk Managed Assets (CRMA)– Assets thatdo not directly store/process CUIbut interact with CUI environments (e.g., BYOD devices, personal computers used for remote access).
Specialized Assets– Unique systems such asOperational Technology (OT), IoT, and Government Furnished Equipment (GFE), which may requirelimitedCMMC assessment.
Which Asset Categories Are Always Assessed?✅1. CUI Assets(ALWAYS ASSESSED)
These are theprimary focusof CMMC Level 2 since they handleCUI.
All110 NIST SP 800-171 controlsapply to these assets.
✅2. Security Protection Assets (SPA)(ALWAYS ASSESSED)
Security tools that protectCUI Assetsarealways includedin the assessment.
Examples includefirewalls, antivirus, endpoint detection and response (EDR) tools, and identity management systems.
(A) CUI Assets and Specialized Assets❌
CUI Assets are assessed, butSpecialized Assets are only assessed in a limited manner, depending on their role inCUI security.
(C) Specialized Assets and Contractor Risk Managed Assets❌
Specialized Assets and CRMAsare typicallynot fully assessedagainst CMMC controls unless they directly impactCUI security.
(D) Security Protection Assets and Contractor Risk Managed Assets❌
SPAs are always assessed, butCRMAs are not necessarily assessedunless they directly impact CUI.
TheCMMC Scoping Guide (Level 2)clearly states thatCUI Assets and Security Protection Assetsarealways assessedagainst CMMC practices.
Why the Other Answer Choices Are Incorrect:Final Validation from CMMC Documentation:Thus, the correct answer is:
B. Security Protection Assets and CUI Assets.