CSF Identifiers: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
(Created page with "{|class="wikitable" style="width: 85%;" ! style="width: 15%"| Function Unique Identifier ! style="width: 15%"| Function ! style="width: 20%"| Category Unique Identifier ! style="width: 50%"| Category |- |colspan="4"|Assets that are in the CMMC Assessment Scope |- |'''Controlled Unclassified Information (CUI) Assets''' | * Assets that process, store, or transmit CUI |rowspan="2"| * Document in the asset inventory * Document in the System Security Plan (SSP) * Document in...")
 
No edit summary
Line 4: Line 4:
! style="width: 20%"| Category Unique Identifier
! style="width: 20%"| Category Unique Identifier
! style="width: 50%"| Category
! style="width: 50%"| Category
|-
|colspan="4"|Assets that are in the CMMC Assessment Scope
|-
|-
|'''Controlled Unclassified Information (CUI) Assets'''
|'''Controlled Unclassified Information (CUI) Assets'''

Revision as of 20:36, 9 April 2023

Function Unique Identifier Function Category Unique Identifier Category
Controlled Unclassified Information (CUI) Assets
  • Assets that process, store, or transmit CUI
  • Document in the asset inventory
  • Document in the System Security Plan (SSP)
  • Document in the network diagram of the CMMC Assessment Scope
  • Prepare to be assessed against CMMC practices
  • Assess against CMMC practices
Security Protection Assets
  • Assets that provide security functions or capabilities to the contractor's CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI
Contractor Risk Managed Assets
  • Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
  • Assets are not required to be physically or logically separated from CUI assets
  • Document in the asset inventory
  • Document in the SSP
    • Show these assets are managed using the contractor’s risk-based security policies, procedures, and practices
  • Document in the network diagram of the CMMC Assessment Scope
  • Review the SSP in accordance with practice CA.L2-3.12.4
    • If appropriately documented, do not assess against other CMMC practices
    • If contractor’s risk-based security policies, procedures, and practices documentation or other findings raise questions about these assets, the assessor can conduct a limited spot check to identify risks
    • The limited spot check(s) shall not materially increase the assessment duration nor the assessment cost
    • The limited spot check(s) will be within the defined assessment scope
Specialized Assets
  • Assets that may or may not process, store, or transmit CUI
  • Assets include: government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment
  • Review the SSP in accordance with practice CA.L2-3.12.4
  • Do not assess against other CMMC practices
Assets that are not in the CMMC Assessment Scope
Out-of-Scope Assets
  • Assets that cannot process, store, or transmit CUI
  • Assets are required to be physically or logically separated from CUI assets
  • None