Skip to content
  • There are no suggestions because the search field is empty.

Asset Classification Guidance for FutureFeed

Why CRMA is our recommendation for asset classification of FutureFeed

SSP Scoping Statement for FutureFeed
Contractor Risk Managed Asset (CRMA) – FutureFeed SaaS GRC Platform
Asset Name: FutureFeed SaaS Governance, Risk, and Compliance (GRC) Platform
Asset Type: Contractor Risk Managed Asset (CRMA)

FutureFeed utilizes a third-party Software-as-a-Service (SaaS) Governance, Risk, and Compliance (GRC) platform to support internal security governance and CMMC compliance management activities. The platform is used to document policies and procedures, track control implementation status, maintain Plans of Action and Milestones (POA&Ms), and store security configuration references and assessment artifacts.

The GRC platform is not designed or intended to process, store, or transmit Controlled Unclassified Information (CUI). FutureFeed policy expressly prohibits the upload or storage of CUI within the GRC environment. The system is not used for contract deliverables, operational CUI processing, or data exchange with CUI systems.

The GRC platform does not perform security protection functions (e.g., monitoring, enforcement, detection, prevention, or response) for the FutureFeed CUI enclave. It does not provide authentication services, logging infrastructure, endpoint protection, vulnerability scanning, or any technical enforcement capability within the CUI system boundary.

However, the platform does contain sensitive security-related information, including:

  • Control implementation details
  • System configuration references
  • Security architecture documentation
  • Risk assessments and POA&Ms
  • Compliance evidence artifacts

Although this information does not constitute CUI, unauthorized disclosure could increase risk to the confidentiality and security posture of the FutureFeed CUI environment.

Accordingly, FutureFeed has designated the SaaS GRC platform as a Contractor Risk Managed Asset (CRMA) in alignment with CMMC scoping guidance. The platform is intended to be external to the CUI System Boundary and thus not classified as a CUI Asset or Security Protection Asset. Risks associated with its use are managed through FutureFeed’s formal risk management process, including:

  • Vendor security due diligence and review
  • Contractual security and confidentiality protections
  • Role-based access controls
  • Multi-factor authentication enforcement
  • Encryption of data in transit and at rest
  • Periodic review of user access and stored artifacts
  • Organizational policy prohibiting CUI upload

FutureFeed monitors and manages risks associated with the SaaS GRC platform to ensure that its use does not introduce unacceptable risk, however the FutureFeed environment is FedRAMP Moderate equivalent, providing an extra layer of security protection beyond requirements.

Additional Scoping Guidance and Alternative Classification Rationale

Practical “Selection Guide” Summary

Use this as a quick justification block you can keep in your SSP or assessor notes:

  • CUI Asset: do not store/process/transmit CUI due to broad access and boundary expansion risk; enforce policy and technical guardrails to prevent CUI ingestion.
  • SPA (case-by-case): if the platform materially supports security protection of the CUI enclave (operational dependency, incident/vuln response coordination, authoritative security baselines, or integrations that drive remediation).
  • CRMA (recommended default): used for governance/compliance tracking; no CUI; no operational security service to enclave; risk managed via controls and policy.
  • Specialized Asset: assets that cannot practically meet all CMMC requirements such as OT or IoT, Medical devices, and industrial machinery. FutureFeed is clearly not a specialized asset and thus will not be discussed further in this article.
  • Out of Scope: Assets that do not process, store, transmit or protect CUI and are properly separated from in-scope assets. Consideration of this category is discussed below

Default Recommendation (Most Companies)

CRMA designation is our recommendation for most companies. Most organizations use a SaaS GRC platform primarily for governance and compliance workflow (policies, control tracking, POA&Ms, evidence management) and do not integrate it in a way that directly provides technical security services to the CUI enclave. In those common cases, the GRC platform is best treated as a Contractor Risk Managed Asset (CRMA): it is outside the CUI boundary, not intended for CUI, and risk is managed through vendor due diligence, access controls, encryption, and policy restrictions.

That said, depending on how FutureFeed is used, an assessor (or your internal risk rationale) could support a different designation—most plausibly Security Protection Asset (SPA). 

Why FutureFeed Should NOT Be Used as a CUI Asset (and Why “Don’t Store CUI Here” Matters)

Even if someone argues FutureFeed is important, that does not make it a CUI Asset. A GRC platform becomes a CUI Asset when it is used to process, store, or transmit CUI (or is intended/authorized to do so). FutureFeed policy prohibits storage of CUI. However, we are FedRAMP Moderate equivalent, providing protection in the event of CUI spillage, which should be corrected immediately upon discovery.

In addition to FutureFeed policy prohibiting storage of CUI, strong justification for not treating a GRC as a CUI Asset and for explicitly prohibiting CUI storage includes:

  1. Access model is typically broad
    • GRC platforms often have wide access across compliance, engineering, IT, leadership, and auditors/assessors.
    • That creates a high risk of overexposure and “need-to-know” violations for CUI, even with RBAC.
  2. Boundary and compliance blast radius
    • Treating it as a CUI Asset can force you to include the platform, its storage, its integrations, and potentially broader admin/support paths into the CUI boundary—creating a large compliance and audit burden.

Bottom line: the safest and cleanest position is:

  • Do not store CUI due to the breadth of access and the risk of accidental disclosure.
  • Keep CUI in the defined enclave and reference it via controlled pointers (e.g., sanitized evidence summaries, non-CUI control narratives, or redacted artifacts), not raw CUI content.

How You Might Make a Case for Classifying FutureFeed as a Security Protection Asset (SPA)

You can justify classifying the GRC tool as a SPA when it is used in a way that directly supports the protection of the CUI environment, even if it does not sit “in line” with production traffic.

A reasonable SPA case exists if FutureFeed is used to operate, administer, or materially enable security protections such as:

  1. Control enforcement enablement (operational dependency)
    • The CUI enclave’s continued secure operation depends on FutureFeed workflows (e.g., required approvals before configuration changes, gating control attestations required to keep systems in service, operational “go/no-go” for access or releases).
  2. Security operations decisioning and response coordination
    • FutureFeed is used to triage, assign, and manage incidents/vulnerabilities that affect the CUI enclave, including evidence and instructions that security staff rely on to respond and recover.
  3. Authoritative source for security configurations and security architecture
    • The system contains detailed security configuration baselines, architecture diagrams, control implementation specifics, and procedural instructions that administrators use to build/maintain the enclave securely.
    • If compromise of FutureFeed could enable an attacker to more easily defeat protections (e.g., by exposing security architecture, hardening guides, control gaps, open POA&Ms), that can strengthen an SPA argument.
  4. Integration into security tooling workflows
    • If FutureFeed integrates with ticketing, vulnerability scanners, IAM, CI/CD, or monitoring systems in a way that drives remediation actions, triggers tasks, or becomes part of the operational security lifecycle for CUI systems.

Plain-English rationale: even if it’s “just GRC,” if it becomes a system that security personnel depend on to sustain protection of the CUI enclave, it can reasonably be argued to provide security protection support—and therefore be scoped as an SPA.

What changes if you classify it as SPA?

You treat it less like an “external governance tracker” and more like an asset whose compromise could directly degrade enclave protections. That typically implies stronger assurance expectations (tighter access controls, more rigorous logging/monitoring, stricter admin controls, more formal change control, and clearer evidence that compromise would not undermine CUI protections).

“Out of Scope”: Why FutureFeed May Still Need Strong Scoping Treatment

It’s reasonable to say FutureFeed is outside the CUI System Boundary if it does not provide technical security services and if no sensitive information such as configuration diagrams or asset and user lists are included but not storing these artifacts in FutureFeed reduces the efficiency and effectiveness of the tool.

Out of scope is likely not the appropriate designation because most users use FutureFeed to:

  • Store sensitive security information (architecture, control gaps, POA&Ms, implementation details) that could be leveraged to attack the CUI enclave.
  • It may influence or drive security decisions, remediation workflows, or authorization processes.
  • If it is compromised, an attacker could gain a roadmap to your defenses—even if no CUI is present.
FutureFeed Footer – Newest