Function Unique Identifier
|
Function
|
Category Unique Identifier
|
Category
|
ID
|
Identify
|
ID.AM
|
Asset Management
|
ID.BE
|
Business Environment
|
Security Protection Assets
|
- Assets that provide security functions or capabilities to the contractor's CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI
|
Contractor Risk Managed Assets
|
- Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
- Assets are not required to be physically or logically separated from CUI assets
|
- Document in the asset inventory
- Document in the SSP
- Show these assets are managed using the contractor’s risk-based security policies, procedures, and practices
- Document in the network diagram of the CMMC Assessment Scope
|
- Review the SSP in accordance with practice CA.L2-3.12.4
- If appropriately documented, do not assess against other CMMC practices
- If contractor’s risk-based security policies, procedures, and practices documentation or other findings raise questions about these assets, the assessor can conduct a limited spot check to identify risks
- The limited spot check(s) shall not materially increase the assessment duration nor the assessment cost
- The limited spot check(s) will be within the defined assessment scope
|
Specialized Assets
|
- Assets that may or may not process, store, or transmit CUI
- Assets include: government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment
|
- Review the SSP in accordance with practice CA.L2-3.12.4
- Do not assess against other CMMC practices
|
Assets that are not in the CMMC Assessment Scope
|
Out-of-Scope Assets
|
- Assets that cannot process, store, or transmit CUI
|
- Assets are required to be physically or logically separated from CUI assets
|
|