Understanding Specialized Assets Under CMMC Level 2

Key Takeaways

• Definition & Purpose: Specialized Assets are devices or systems that may handle CUI but cannot feasibly meet all standard CMMC Level 2 controls due to their technical or operational nature.
• Five Asset Categories: The CMMC Scoping Guide identifies five types—Government Furnished Equipment (GFE), IoT/IIoT Devices, Operational Technology (OT), Restricted Information Systems (RIS), and Test Equipment.
• Documentation Requirements: All Specialized Assets must appear in the organization’s asset inventory, System Security Plan (SSP), and network diagram, with clear explanations of how each is managed under risk-based security policies.
• Assessment Relief: Specialized Assets are not audited against all 110 CMMC controls. Auditors verify that these assets are properly identified and managed, rather than performing a full control-by-control assessment.
• Risk-Based Management: Organizations may apply alternative or compensating safeguards (e.g., network isolation, limited access, maintenance scheduling) to balance operational needs with security obligations.

Under the CMMC Level 2 framework, “Specialized Assets” are certain devices or systems that may handle Controlled Unclassified Information (CUI) but can’t practically meet all standard IT security controls.

Specialized Assets Categories

According to the official CMMC Level 2 Scoping Guide (v2.13, Sept 2024), there are five categories of Specialized Assets.

1. Government Furnished Equipment (GFE): Hardware owned or leased by the government (or built to government specs). This includes any physical equipment (not software or data) that the DoD provides to a contractor.
2. Internet of Things (IoT) / Industrial IoT (IIoT) Devices: Networked “smart” devices with sensors and actuators (e.g., smart lighting, HVAC or energy meters, fire detectors, RFID tags). These devices have digital connections but often limited built-in security.
3. Operational Technology (OT): Programmable systems that directly monitor or control the physical environment – essentially industrial control systems. Examples include PLCs and SCADA used on a factory floor, building management or fire-suppression systems, or even physical access control panels. The guide explicitly notes that OT includes SCADA systems in manufacturing.
4. Restricted Information Systems (RIS): Systems built or configured under strict government security specs to support a contract. These might be fielded/obsolete systems or “replicas” of product deliverables that only exist to fulfill contract requirements.
5. Test Equipment: Any hardware (and its associated IT components) used to test products or deliverables (e.g., oscilloscopes, spectrum analyzers, signal generators, power meters, and specialized test rigs).

Each of these asset types must be listed in one’s asset inventory and documented in their System Security Plan (SSP). In practice, that means one’s SSP should describe how each specialized asset is managed under the organization’s risk-based security policies and procedures. For instance, one might note that a particular PLC is updated and monitored according to an industrial control security policy rather than the general NIST SP 800-171 patch schedule. One must also include specialized assets on their network diagram of the CMMC scope. However, these devices are not “embedded” in the usual way – their treatment (controls, procedures, etc.) is documented without necessarily assigning every control to them.

Benefits of Specialized Asset Classification

There are clear benefits to designating an asset as “specialized” instead of treating it like a CUI Asset. Once an asset is categorized as specialized and properly documented, it is not assessed against all 110 CMMC security controls.

In other words, auditors will review an organization’s SSP and network diagram to confirm they have identified the device and explained how they manage it, but the auditors won’t perform a full checklist audit on it. For example, a PLC on the factory floor does not need every software control or patching step verified in detail.

Specialized assets often have technical constraints (e.g., legacy protocols and/or real-time requirements) that make standard IT controls impractical. The scoping rules allow one to manage these assets with their own risk-based policies and procedures. This means an organization can implement alternative safeguards tailored to the asset. For instance, isolating an OT network segment or using compensating controls could be done instead of forcing a one-size-fits-all IT solution.

Final Thoughts

Many specialized assets are central to day-to-day operations (think factory controllers, HVAC systems, security cameras, etc.). Labeling them “specialized” acknowledges that they must stay running even while meeting security commitments. The specialized category lets an organization maintain continuity (for example, scheduling patches during maintenance windows or using physical isolation) under their risk-based plan.

In summary, the specialized-asset designation means an Organization Seeking Assessment (OSA) documents these items but avoids the overhead of full control verification. Auditors will look at an organization’s documentation (SSP, diagrams) to ensure the assets are accounted for and managed by policy, but they won’t “test the 110 controls” on them.

To learn more about CMMC, be sure to visit our CMMC page, and don’t hesitate to contact Elaine Nissley or Mike Murray regarding our services.

About the Author

Related Services