A company has four waterjet machines with very limited computing capabilities. The company loads CUI onto these machines for machining parts and uses CUI as necessary for machining.
Should these waterjet machines be part of the CMMC Assessment?
A.
No, these waterjet machines are Out-of-Scope Assets and do not need to be assessed.
B.
Yes, these waterjet machines are CUI Assets that must be assessed because they handle CUI.
C.
Yes, these waterjet machines are Specialized Assets that are within the scope of a CMMC Assessment.
D.
No, these waterjet machines are Contractor Risk Managed Assets and do not need to be assessed.
The CMMC Scoping Guidance defines Specialized Assets (e.g., OT, IoT, test equipment, manufacturing machines) that may process CUI but do not always meet traditional IT security requirements. These assets are still within scope and must be documented and assessed as Specialized Assets.
Extract:
“Specialized Assets are defined as operational technology, IoT, test equipment, and similar devices that may process CUI but cannot be secured in the same manner as standard assets. They remain in-scope for the assessment.”
Thus, waterjet machines are Specialized Assets in scope.
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit