CMMC Scoping
In Part 5 of the CMMC scoping series, Amira Armond and Mark Hapeman of Kieri Solutions explore Contractor Risk Managed Assets (CRMAs)—systems that can, but are not intended to process, store, or transmit CUI due to safeguards like policy, procedures, or technical controls.
Viewers will learn:
• How CRMAs differ from CUI assets and why being on the same network as CUI brings them into scope.
• What’s required from contractors: CRMAs must be tracked, documented in the SSP, shown on network diagrams, and protected per CMMC Level 2 requirements.
• What’s required from assessors: They will review CRMAs for limited, requirement-specific controls—only if not already well-documented in the SSP.
• How to avoid unwanted assessor scrutiny by clearly documenting how every relevant control is applied to CRMAs (e.g., screen lock, patching, malware protection).
• What happens if CUI accidentally lands on a CRMA—and how incident response and proper sanitization can preserve its lower-risk designation.
• Why intentional CUI handling on a CRMA reclassifies it as a CUI asset—making it subject to full assessment.
• Real-world examples including internal systems, printers, email mistakes, and cloud-connected tools that may fall into this category.
This session clarifies how to manage and defend the CRMA classification while aligning with DoD expectations under the final CMMC rule.