CMMC Scoping
In Part 4 of the CMMC scoping series, Amira Armond and Mark Hapeman of Kieri Solutions explain the role of Security Protection Assets (SPAs)—systems, software, services, or people that provide security functions within the CMMC assessment scope.
Viewers will learn:
What qualifies as a Security Protection Asset, including firewalls, antivirus servers, MFA tools, IT administrators, facility controls, and even keycard systems.
How some assets can fall into multiple categories (e.g., a file server may be both a CUI asset and an SPA) and how assessors typically approach such overlaps.
Why SPAs must be documented in your asset inventory, described in your SSP, and included in network diagrams—even if they’re outside the CUI network.
What C3PAO assessors are required to evaluate for SPAs: only the security capabilities they directly support (e.g., access control, malware scanning)—not full compliance with all 110 CMMC Level 2 requirements.
Practical examples of how organizations meet specific requirements using SPAs like firewalls or antivirus tools—and how that impacts the scope of the assessment.
Tips for writing your System Security Plan (SSP) to clearly indicate which systems are in scope and avoid unnecessary scrutiny of unrelated systems.
This video helps defense contractors better understand how SPAs factor into CMMC compliance and how to document and defend their use during an assessment.