CSF Identifiers: Difference between revisions

From CMMC Toolkit Wiki
Jump to navigation Jump to search
No edit summary
No edit summary
Line 5: Line 5:
! style="width: 50%"| Category
! style="width: 50%"| Category
|-
|-
|'''ID'''
|rowspan="2"|'''ID'''
|
|rowspan="2"|Identify
* Assets that process, store, or transmit CUI
|ID.AM
|rowspan="2"|
|Asset Management
* Document in the asset inventory
|ID.BE
* Document in the System Security Plan (SSP)
|Business Environment
* Document in the network diagram of the CMMC Assessment Scope
* Prepare to be assessed against CMMC practices
|rowspan="2"|
* Assess against CMMC practices
|-
|-
|'''Security Protection Assets'''
|'''Security Protection Assets'''

Revision as of 20:42, 9 April 2023

Function Unique Identifier Function Category Unique Identifier Category
ID Identify ID.AM Asset Management ID.BE Business Environment
Security Protection Assets
  • Assets that provide security functions or capabilities to the contractor's CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI
Contractor Risk Managed Assets
  • Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
  • Assets are not required to be physically or logically separated from CUI assets
  • Document in the asset inventory
  • Document in the SSP
    • Show these assets are managed using the contractor’s risk-based security policies, procedures, and practices
  • Document in the network diagram of the CMMC Assessment Scope
  • Review the SSP in accordance with practice CA.L2-3.12.4
    • If appropriately documented, do not assess against other CMMC practices
    • If contractor’s risk-based security policies, procedures, and practices documentation or other findings raise questions about these assets, the assessor can conduct a limited spot check to identify risks
    • The limited spot check(s) shall not materially increase the assessment duration nor the assessment cost
    • The limited spot check(s) will be within the defined assessment scope
Specialized Assets
  • Assets that may or may not process, store, or transmit CUI
  • Assets include: government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment
  • Review the SSP in accordance with practice CA.L2-3.12.4
  • Do not assess against other CMMC practices
Assets that are not in the CMMC Assessment Scope
Out-of-Scope Assets
  • Assets that cannot process, store, or transmit CUI
  • Assets are required to be physically or logically separated from CUI assets
  • None