NIST SP 800-171 Assessment Checklist
Download our checklist to help prepare for your NIST assessment.
.jpg?ext=.jpg)
Specialized Assets and CMMC
When talking about CMMC certification and the NIST SP 800-171r2 controls, you will hear mentions of specialized assets. What exactly are these assets?
Four Types of Assets
There are four types of assets your organization can have. Those four types are CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, and Specialized Assets. Of these four, CUI assets will of course always store or transmit CUI data. Contractor risk managed assets may transmit CUI, and specialized assets may also involve the storing and transmission of CUI.
Types of Specialized Assets
What does a specialized asset look like? The answers vary, but specialized assets include government equipment, the Internet of Things (IoT), operational technology, restricted information systems, and test equipment.
Government property
In this context government property does not include intellectual property or software. In this case, government property could be equipment, material, actual property, or testing/tooling equipment.
Internet of Things (IoT)
Especially for manufacturers whose shops employ industry 4.0 or SMART manufacturing, the Internet of Things likely makes its presence felt on a daily basis. The IoT can include lighting controls, heating, ventilation, and air conditioning controls, fire/smoke detectors, and smart electric grids.
Operational Technology
Manufacturers will be familiar with many of these types of operational technology. CNC machines, industrial control systems (ICS), programmable logic controllers (PLC), and supervisory control and data acquisition (SCADA) all represent examples of operational technology. Incidentally, a common question is whether G and M code is CUI. The answer is that because the code leads to the creation of a design, it is CUI from the start.
Restricted Information Systems
Fielded systems, obsolete systems, and product deliverable replicas are all examples of restricted information systems. If a functional requirement needs support, the support system connected is a restricted information system. Similarly, systems required to support a government contract fall into this category.
Test Equipment
This type of specialized asset is self-explanatory, but anything used for testing federal contract deliverables fall into the specialized asset category. That includes power meters, spectrum analyzers, and more.
How to Treat Specialized Assets for CMMC Certification
Specialized assets must appear in a company’s System Security Plan (SSP). However, there are ways to reduce the risk to CUI data that can also help limit/define a company’s CMMC scope.
Reduce or Eliminate CUI Usage on Devices
If there is any way to remove CUI from specialized assets, do so. If a machine does not need to be connected to the IoT, don’t add extra weight to your requirements.
Restrict Access
Does everyone in your company need to access the CNC machine that is producing contract work? If not, limiting access to specific personnel is a great way to keep the scope under control.
Isolation
If specialized assets can be separated from the rest of the shop physically and/or via firewalls, make an effort to get that done!
Have Questions?
If you have questions about specialized assets or how they fit into the CMMC certification process, use this link to schedule a meeting. We’d be happy to talk to you.