CMMC Level 1applies toFederal Contract Information (FCI)systems.
Any system or device that is connected to an FCI-handling network is within the assessment scopebecause it canintroduce vulnerabilitiesinto the environment.
TheWi-Fi-enabled thermostat is connected to the FCI network, meaning it haspotential accessto sensitive contract-related data.
PerCMMC Scoping Guidance, this type of device is classified as aRestricted Information System (Restricted IS)—devices that do not store, process, or transmit FCI but areconnected to networks that do.
Restricted IS must be accounted for in the self-assessment scope to ensure they do not compromise security controls.
[Reference:, CMMC Level 1 Scoping Guidance, CMMC Assessment Process (CAP) Guide, Step 3: Why Other Answer Choices Are IncorrectA. No, because it is OT (Incorrect):, Operational Technology (OT)includesindustrial control systemsbut does not exempt a device from assessmentif it connects to an FCI network., B. No, because it is an IoT device (Incorrect):, IoT (Internet of Things) devicesthat areconnected to an FCI network must be assessedto ensure they do not create security vulnerabilities., D. Yes, because it is government property (Incorrect):, Theownershipof the device (government or company) doesnotdetermine its inclusion in the CMMC assessment scope—its network connectivity does., Final Confirmation of Correct Answer:The thermostat is part of the CMMC Level 1 Self-Assessment Scope as a Restricted IS., Thus, the correct answer is:C. Yes, because it is a restricted IS, , ]
Submit