CSF Identifiers: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 5: Line 5:
! style="width: 50%"| Category
! style="width: 50%"| Category
|-
|-
|rowspan="2"|style="text-align:center;"|'''ID'''
|rowspan="6" style="text-align:center;"|'''ID'''
|rowspan="2"|style="text-align:center;"|Identify
|rowspan="6" style="text-align:center;"|Identify
|ID.AM
|style="text-align:center;"|ID.AM
|Asset Management
|Asset Management
|-
|-
|ID.BE
|style="text-align:center;"|ID.BE
|Business Environment
|-
|style="text-align:center;"|ID.GV
|Governance
|-
|style="text-align:center;"|ID.RA
|Risk Assessment
|-
|style="text-align:center;"|ID.RM
|Risk Management Strategy
|-
|style="text-align:center;"|ID.SC
|Business Environment
|Business Environment
|-
|-

Revision as of 20:49, 9 April 2023

Function Unique Identifier Function Category Unique Identifier Category
ID Identify ID.AM Asset Management
ID.BE Business Environment
ID.GV Governance
ID.RA Risk Assessment
ID.RM Risk Management Strategy
ID.SC Business Environment
Security Protection Assets
  • Assets that provide security functions or capabilities to the contractor's CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI
Contractor Risk Managed Assets
  • Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
  • Assets are not required to be physically or logically separated from CUI assets
  • Document in the asset inventory
  • Document in the SSP
    • Show these assets are managed using the contractor’s risk-based security policies, procedures, and practices
  • Document in the network diagram of the CMMC Assessment Scope
  • Review the SSP in accordance with practice CA.L2-3.12.4
    • If appropriately documented, do not assess against other CMMC practices
    • If contractor’s risk-based security policies, procedures, and practices documentation or other findings raise questions about these assets, the assessor can conduct a limited spot check to identify risks
    • The limited spot check(s) shall not materially increase the assessment duration nor the assessment cost
    • The limited spot check(s) will be within the defined assessment scope
Specialized Assets
  • Assets that may or may not process, store, or transmit CUI
  • Assets include: government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment
  • Review the SSP in accordance with practice CA.L2-3.12.4
  • Do not assess against other CMMC practices
Assets that are not in the CMMC Assessment Scope
Out-of-Scope Assets
  • Assets that cannot process, store, or transmit CUI
  • Assets are required to be physically or logically separated from CUI assets
  • None
Retrieved from "https://cmmcwiki.org/index.php?title=CSF_Identifiers&oldid=583"