CSF Identifiers

From CMMC Toolkit Wiki
Revision as of 20:39, 9 April 2023 by Wikiadmin (talk | contribs)
Jump to navigation Jump to search
Function Unique Identifier Function Category Unique Identifier Category
ID
  • Assets that process, store, or transmit CUI
  • Document in the asset inventory
  • Document in the System Security Plan (SSP)
  • Document in the network diagram of the CMMC Assessment Scope
  • Prepare to be assessed against CMMC practices
  • Assess against CMMC practices
Security Protection Assets
  • Assets that provide security functions or capabilities to the contractor's CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI
Contractor Risk Managed Assets
  • Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
  • Assets are not required to be physically or logically separated from CUI assets
  • Document in the asset inventory
  • Document in the SSP
    • Show these assets are managed using the contractor’s risk-based security policies, procedures, and practices
  • Document in the network diagram of the CMMC Assessment Scope
  • Review the SSP in accordance with practice CA.L2-3.12.4
    • If appropriately documented, do not assess against other CMMC practices
    • If contractor’s risk-based security policies, procedures, and practices documentation or other findings raise questions about these assets, the assessor can conduct a limited spot check to identify risks
    • The limited spot check(s) shall not materially increase the assessment duration nor the assessment cost
    • The limited spot check(s) will be within the defined assessment scope
Specialized Assets
  • Assets that may or may not process, store, or transmit CUI
  • Assets include: government property, Internet of Things (IoT) devices, Operational Technology (OT), Restricted Information Systems, and Test Equipment
  • Review the SSP in accordance with practice CA.L2-3.12.4
  • Do not assess against other CMMC practices
Assets that are not in the CMMC Assessment Scope
Out-of-Scope Assets
  • Assets that cannot process, store, or transmit CUI
  • Assets are required to be physically or logically separated from CUI assets
  • None