CMMC Scoping
In Part 6 of the CMMC scoping series, Amira Armond and Mark Hapeman of Kieri Solutions explain how to identify and handle Specialized Assets—systems that can process, store, or transmit CUI, but cannot be fully secured. This asset category is unique in that assessors do not evaluate these systems against all CMMC Level 2 requirements, but organizations must still manage them using risk-based policies.
Viewers will learn:
• The official definition of Specialized Assets and the five allowed subcategories:
Government-Furnished Equipment (GFE)
Internet of Things (IoT) / Industrial IoT
Operational Technology (OT)
Restricted Information Systems
Test Equipment
• Why these assets are excluded from assessment, and how assessors will only review SSP documentation for evidence of risk-based management.
• How to recognize each type of specialized asset with real-world examples, including:
• Government-issued laptops
• CNC machines and manufacturing systems
• Smart devices with vendor-controlled access
• Development environments handling CUI code
• Key distinctions between when something should be treated as a Specialized Asset and when it must be secured as a CUI or Security Protection Asset.
• Tips for documenting control decisions clearly in the SSP to reduce scope confusion and avoid unnecessary assessment scrutiny.
This session is especially useful for contractors with legacy systems, manufacturing environments, or vendor-managed tech that can’t meet every CMMC control—offering a practical path forward under the final rule.