CRMA - Contractor Risk Managed Assets (Glossary)

Source: CMMC 2.0 Level 2 Scoping Guide

Term: Contractor Risk Managed Assets

Asset Description:

• Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures, and practices in place
• Assets are not required to be physically or logically separated from CUI assets

Contractor Requirements:

• Document in the asset inventory
• Document in the System Security Plan (SSP)
  • Show these assets are managed using the contractor's risk-based security policies, procedures, and practices
• Document in the network diagram of the CMMC Assessment Scope

CMMC Assessment Requirements: 

• Review the SSP in accordance with practice CA.L2-3.12.4
  • If appropriately documented, do not assess against other CMMC practices
  • If contractor's risk-based security policies, procedures, and practices documentation or other findings raise questions about these assets, the assessor can conduct a limited spot check to identify risks
  • The limited spot check(s) shall not materially increase the assessment duration nor the assessment cost
  • The limited spot check(s) will be within the defined assessment scope