UnderCMMC Level 2, contractors are required toidentify, document, and categorize assetsinvolved in handlingControlled Unclassified Information (CUI). This is part of thescoping process, which ensures that all security-relevant assets are properly protected and accounted for in the System Security Plan (SSP), asset inventory, and network diagram.
CMMC Scoping Requirements for Level 2 Assessments:
TheCMMC Scoping Guide(CMMC v2.0) identifies four asset categories:
CUI Assets:Systems that store, process, or transmit CUI.
Security Protection Assets (SPA):Systems providing security functions for CUI Assets (e.g., firewalls, SIEMs).
Contractor Risk Managed Assets (CRMA):Assets that interact with CUI but arenot directly controlledby the organization (e.g., personal devices).
Specialized Assets:These include IoT devices, OT systems, and Government Furnished Equipment (GFE) thatmay require specific security controls.
Where Documentation is Required:
The contractor mustdocument all assets (except out-of-scope assets)in:
The System Security Plan (SSP):A key document detailing security controls and asset categorization.
An asset inventory:Lists all in-scope assets (CUI Assets, SPAs, CRMA, and Specialized Assets).
The network diagram:Provides a visual representation of system connectivity and security boundaries.
Why Out-of-Scope Assets Are Excluded:
TheCMMC Scoping Guidespecifically states that Out-of-Scope Assets arenot required to be documentedin these compliance artifacts because they haveno direct or indirect interaction with CUI.
These assets do not require CMMC controls because they are completely isolated from CUI handling environments.
Why the Other Answer Choices Are Incorrect:
(A) GUI Assets:There is no specific "GUI Asset" category in CMMC scoping.
(B) CUI and Security Protection Asset categories:While these are included, this answerexcludesContractor Risk Managed and Specialized Assets, which are also required.
(D) Contractor Risk Managed Assets and Specialized Assets:These assetsare included in scopingbut this answer excludes CUI Assets and Security Protection Assets, making it incomplete.
Step-by-Step Breakdown:Final Validation from CMMC Documentation:According to theCMMC Assessment Scope Level 2 Guide, allin-scope assetsmust be documented in the SSP, inventory, and network diagram.The only assets excluded are Out-of-Scope Assets.
Thus, the correct answer is:
C. All asset categories except for the Out-of-Scope Assets.
