CMMC Level 1 & Level 2 Scoping Guide - CCA 2025

0.0(0)
Studied by 0 people
call kaiCall Kai
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
GameKnowt Play
Card Sorting

1/15

encourage image

There's no tags or description

Looks like no tags are added yet.

Last updated 7:38 PM on 5/6/26
Name
Mastery
Learn
Test
Matching
Spaced
Call with Kai

No analytics yet

Send a link to your students to track their progress

16 Terms

1
New cards

Prior to a Level 1 Self-Assessment, the contractor must specify what?

The scope

2
New cards

What does the scope identify?

Which assets within the contractor's environment will be assessed and the details of the self-assessment

3
New cards

In scope FCI assets performs what three functions?

Process, Store, Transmit FCI

4
New cards

What are out-of-scope assets?

Assets that do not process, store or transmit FCI or CUI.

Physical or logical separation from CUI assets are required.

5
New cards

What are some examples of specialized assets?

Government property, IOT or IIOT, Restricted Information Systems, Test Equipment.

6
New cards

Are specialized assets part of the assessment scope? Why or why not?

No

Falls out of scope if properly documented. There should already be risk-based policy and procedures in place.

7
New cards

What are the four main categories that process, store or transmit FCI within the contractor's environment?

People, technology, facilities, external service providers

8
New cards

Assets that process, store or transmit FCI are considered in which type of assessment scope?

Self-assessment scope

9
New cards

What are security protection assets?

Assets that provide security functions or capabilities to the assessment scope, regardless of whether or not they process, store or transmit CUI.

10
New cards

What are contractor risk managed assets?

Assets that can, but are not intended to, process, store or transmit CUI due to policy, procedures and practices that are in place.

Not required to be physically or logically separated from CUI assets.

11
New cards

What are specialized assets?

Assets that may or may not process, store, transmit CUI.

12
New cards

For Level 2, which four assets are required to be documented in an asset inventory, SSP and network diagram?

1. CUI Assets

2. Security Protection Assets

3. Contractor Risk Managed Assets

4. Specialized Assets

13
New cards

Which assets are assessed against CMMC practices?

CUI Assets and Security Protection Assets

14
New cards

When it comes to Contractor Risk Managed Assets, if documentation raises questions about the assets what does the Assessor do?

Limited spot check

15
New cards

What are the two requirements of a limited spot check?

1. Shall not materially increase duration or cost of assessment

2. Must be within the defined assessment scope

16
New cards

SSP's are reviewed by the Assessor in accordance with CA.L2-3.12-4 for which two asset types?

1. Contractor Risk Managed

2. Specialized