Scoping is the cornerstone of your Cybersecurity Maturity Model Certification (CMMC) Level 2 journey. For Defense Industrial Base (DIB) contractors, properly defining your assessment scope ensures compliance with CMMC requirements while avoiding costly missteps. While data flows and network diagrams often steal the spotlight, categorizing your assets correctly is just as critical. In this post, we’ll break down the five CMMC asset categories—CUI Assets, Contractor Risk Managed Assets (CRMA), Security Protection Assets (SPA), Specialized Assets (SA), and Out-of-Scope Assets—to help you streamline your scoping process and ace your CMMC Level 2 assessment.

Want expert guidance on CMMC scoping? Contact us for a free consultation!

Why Asset Categorization Matters for CMMC Level 2

CMMC Level 2 focuses on protecting Controlled Unclassified Information (CUI), requiring organizations to implement NIST SP 800-171 controls across their in-scope assets. Incorrectly categorizing assets can lead to over-scoping (wasting resources) or under-scoping (failing your assessment). By understanding the distinct roles of each asset category, you can accurately document your System Security Plan (SSP) and demonstrate compliance to assessors.

Let’s dive into the five CMMC asset categories and their requirements.

Cat 1. CUI Assets: The Heart of CMMC Level 2

CUI Assets are systems, devices, or components that store, process, or transmit Controlled Unclassified Information (CUI). These are the primary focus of your CMMC Level 2 assessment.

• Key Characteristics:

• Directly handle CUI (e.g., servers hosting CUI, workstations used to process CUI, or email systems transmitting CUI).

• Must comply with all 110 NIST SP 800-171 controls as outlined in CMMC Level 2.

• Subject to thorough scrutiny during assessments.

• Scoping Tip: Inventory all assets that interact with CUI and document their configurations in your SSP. Use tools like Microsoft Purview to track CUI across your environment.

• Example: A SharePoint site in Microsoft 365 Government (GCC High) storing CUI documents.
  ‍

Cat 2. Contractor Risk Managed Assets (CRMA): A Double-Edged Sword

Contractor Risk Managed Assets (CRMA) are within your assessment scope but not intended to handle CUI. These assets can streamline your assessment if managed correctly but pose risks if misclassified.

• Key Characteristics:

• Not physically or logically separated from CUI Assets (e.g., part of the same network).

• Must meet all NIST SP 800-171 controls but are not assessed unless CUI is detected or documentation is inadequate.

• Require clear documentation in your SSP to justify their CRMA status.

• Scoping Tip: Regularly audit CRMAs to ensure no CUI is present. Misclassifying a CUI Asset as a CRMA can lead to assessment failures.

• Example: Employee laptops on the same network as CUI servers but not used for CUI tasks.
  ‍

Cat 3. Security Protection Assets (SPA): Safeguarding Your Environment

Security Protection Assets (SPA) provide security functions or store Security Protection Data (e.g., log files, configurations) critical to your CMMC scope.

• Key Characteristics:

• Include firewalls, intrusion detection systems, or log servers that protect your environment.

• Assessed only for controls relevant to their security functions (not the full NIST SP 800-171 set).

• Must be documented in your SSP with details on their protective roles.

• Scoping Tip: Ensure SPAs are properly configured to generate and retain logs, as assessors may review these for compliance.

• Example: A SIEM tool like Azure Sentinel collecting logs from your network infrastructure.
  ‍

Cat 4. Specialized Assets (SA): Non-Standard Devices

Specialized Assets (SA) are non-standard devices, such as Internet of Things (IoT) devices, operational technology (OT), or industrial control systems, that cannot fully implement NIST SP 800-171 controls due to their design.

• Key Characteristics:

• Exempt from CMMC Level 2 assessment, as they lack the capability to meet all security requirements.

• Must still be documented in your SSP with justifications for their exemption.

• Often require compensating controls (e.g., network segmentation) to minimize risks.

• Scoping Tip: Isolate SAs from CUI Assets whenever possible to reduce their impact on your scope.

• Example: IoT sensors in a manufacturing facility not capable of running antivirus software.
  

Cat 5. Out-of-Scope Assets: No Compliance Required

Out-of-Scope Assets are completely outside your CMMC assessment scope and do not require security controls or documentation.

• Key Characteristics:

• Do not store, process, or transmit CUI and are physically or logically separated from in-scope assets.

• Not subject to assessment or NIST SP 800-171 controls.

• Scoping Tip: Use network segmentation or air-gapping to ensure Out-of-Scope Assets remain isolated from your CMMC environment.

• Example: A guest Wi-Fi network with no access to your corporate systems.

‍

‍Best Practices for CMMC Level 2 Scoping

To master CMMC Level 2 scoping and asset categorization, consider these tips:

• Conduct a Thorough Inventory: Use automated discovery tools to identify all assets in your environment and classify them by category.

• Document Everything: Maintain a detailed SSP that clearly defines each asset’s role, justification, and applicable controls.

• Validate CUI Boundaries: Regularly audit assets to confirm CUI is only present on CUI Assets and not on CRMAs or SAs.

• Leverage Microsoft Solutions: Deploy Microsoft 365 Government (GCC High) or Azure Government to ensure FedRAMP and DFARS 7012 compliance for CUI Assets, as outlined in Microsoft’s February 2025 compliance guide.

• Engage Experts: Partner with a CMMC consultant to refine your scope and avoid common pitfalls.
  ‍

Too much? Work with Stratus Services to simplify your CMMC Scoping.

At Stratus Services, we specialize in guiding DIB contractors through the complexities of CMMC Level 2 scoping and compliance. Our services include:

• Comprehensive asset categorization and scoping assessments.

• Tailored SSP development aligned with CMMC requirements.

• Seamless integration of Microsoft 365 Government solutions for CUI protection.