Understanding CMMC Asset Categorization
TheCMMC 2.0 Scoping Guidedefines how assets are categorized based on their involvement withFederal Contract Information (FCI)andControlled Unclassified Information (CUI).
In this scenario:
Thegovernment services divisioninteracts withfederal clientsandreceives FCI, making its assetsin-scopefor CMMC Level 1.
Thecommercial services divisioninteractsonly with non-federal clientsanddoes not handle FCI—this means its assets arenot subject to CMMC Level 1 requirementsand should be classified asOut-of-Scope Assets.
CMMC 2.0 Definition of Out-of-Scope Assets
As per theCMMC Scoping Guide, assets that:
✅Do not store, process, or transmit FCI/CUI
✅Do not directly impact the security of in-scope assets
✅Are completely segregated from the FCI/CUI environment
are classified asOut-of-Scope Assets.
Since thecommercial services divisiononly processespublicly available information and has no interaction with FCI, its assets areout-of-scopefor CMMC Level 1 assessment.
Why the Other Answers Are Incorrect
A. FCI Assets
❌Incorrect. FCI assets areonly those that store, process, or transmit FCI. The commercial services division doesnothandle FCI, so its assets donotqualify.
B. Specialized Assets
❌Incorrect. Specialized assets refer toInternet of Things (IoT), Operational Technology (OT), and test equipment. These donot applyto a general commercial services division.
D. Operational Technology Assets
❌Incorrect.Operational Technology (OT) Assetsinvolveindustrial control systems, SCADA, and manufacturing equipment—which are not relevant to this scenario.
CMMC Official References
CMMC 2.0 Scoping Guide – Level 1 & Level 2
CMMC Assessment Process (CAP) Document
Thus,option C (Out-of-Scope Assets) is the correct answerbased on official CMMC scoping guidance.
Submit