Reference: CMMC v2.13
Family: SI
Level Introduced: 3
Title: Specialized Asset Security
Practice:
Include specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems and test equipment in the scope of the specified enhanced security requirements or are segregated in purpose-specific networks.
Further Discussion:
Specialized Assets are addressed in the scoping guidance, which should be overlaid on this requirement. The OSC must document Specialized Assets in the asset inventory; develop, document, and periodically update system security plans; and include Specialized Assets in the network diagram. The Specialized Asset section of the SSP should describe associated system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Specialized Assets within the Level 3 CMMC assessment scope must be either assessed against all CMMC security requirements or separated into purpose-specific networks. Specialized Assets may have limitations on the application of certain security requirements. To accommodate such issues, the SSP should describe any mitigations.
Intermediary devices are permitted to mitigate an inability for the asset itself to implement one or more CMMC requirements. An example of an intermediary device used in conjunction with a specialized asset is a boundary device or a proxy.
The high-level list of Specialized Assets includes:
• Government Furnished Equipment;
• IoT and IIoT devices (physical or virtual) with sensing/actuation capability and programmability features;
• OT used in manufacturing systems, industrial control systems (ICS), or supervisory control and data acquisition (SCADA) systems;
• Restricted Information Systems, which can include systems and IT components that are configured based on government requirements; and
• Test equipment.
Example
You are responsible for information security in your organization, which processes CUI on the network, and this same network includes GFE for which the configuration is mandated by the government. The GFE is needed to process CUI information [a]. Because the company cannot manage the configuration of the GFE, it has been augmented by placing a bastion host between it and the network. The bastion host meets the requirements that the GFE cannot, and is used to send CUI files to and from the GFE for processing. You and your security team document in the SSP all of the GFE to include GFE connectivity diagrams, a description of the isolation mechanism, and a description of how your organization manages risk associated with that GFE [a].
Potential Assessment Considerations
• Has the organization documented all specialized assets in asset inventory [a]?
• Has the organization documented all specialized assets in the SSP to show how risk is managed [b]?
• Has the organization provided a network diagram for specialized assets [a,b]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-172 Requirements vDraft (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.