• English (UK)
  • English (US)
Contact Us
Home Resources Webinar On Demand: What are Specialized Assets

Webinar On Demand: What are Specialized Assets

Webinar On Demand: What are Specialized Assets
In this webinar, Robert McVay, Senior Consultant at Smithers, discusses the role of specialized assets in the Cybersecurity Maturity Model Certification (CMMC) and how they impact NIST SP 800-171 compliance. With the CMMC rule expected to finalize by late 2024, defense contractors must prepare now—especially regarding the categorization and treatment of specialized systems.
Key Points:
  • Current Landscape: The CMMC proposed rule was released in December 2023, with full implementation anticipated in FY2025. For now, assessments will remain based on NIST SP 800-171 Rev. 2.
  • Four Asset Categories: CMMC distinguishes assets as CUI assets, security protection assets, contractor risk-managed assets, and specialized assets—the latter requiring particular attention.
  • Specialized Asset Types:
    • Government-Furnished Equipment
    • IoT/IIoT Devices
    • Operational Technology (OT) such as CNC machines and PLCs
    • Restricted Information Systems configured per government specs
    • Test Equipment used in quality assurance and validation
  • Key Requirements: Specialized assets must be inventoried, documented in the system security plan, and scoped properly in your CMMC assessment. They must also be evaluated against NIST 800-171 Rev. 2 control 3.12.4.
  • Risk Management Recommendations:
    • Minimize or eliminate CUI use on specialized assets
    • Restrict access and isolate systems (physically or logically)
    • Clearly define what is and isn’t in scope to avoid overextending the assessment boundary
  • CUI Identification: Contractors should scrutinize contracts for DFARS clauses like 252.204-7012, 7019, 7020, 7021, and 7024. When in doubt, ask your contracting officer and document their guidance in writing.
Specialized assets are not out of scope—they must be managed thoughtfully to ensure compliance while maintaining operational efficiency. Organizations are encouraged to engage early with their C3PAO to define asset boundaries and reduce compliance risk.

For questions or support, attendees were encouraged to contact us today. 

Cancel

New! NIST 800-171 assessment checklist!

NIST SP 800-171 Assessment Checklist

If you are preparing for your NIST 800-171 assessment, this checklist will help you organize your thoughts, understand CMMC scoring, and more. Download it for free today.

View all resources
Robert McVay Senior Consultant, Information Security Services
Robert
McVay

Senior Consultant, Information Security Services

United States

Contact Robert

Latest Resources

See all resources
Smithers: A C3PAO 100 Years in the Making
Navigating Rolling Resistance: SAE J2452 vs. ISO 28580 – A Tire Engineer's Guide
Insights into Pharmaceutical Delivery Device Transit Evaluation: Q&A with Tim Rice
The Role of Risk Management in the ISO 13485 Standard
How Can I Lower the Cost of My CMMC Assessment?