What are Specialized Assets?

The scoping designation of “Specialized Asset” is reserved for specific categories of devices or systems that may handle CUI but cannot feasibly meet all standard CMMC Level 2 controls due to technical, operational, or design constraints. The CMMC Level 2 Scoping Guide defines five specific categories of Specialized Assets:

1. Government Furnished Equipment (GFE): Hardware owned or leased by the government.
2. Internet of Things (IoT) Devices: Networked smart devices (e.g., HVAC, cameras, sensors, smart locks) with limited built-in security.
3. Operational Technology (OT): Systems that directly monitor or control physical processes (e.g., SCADA, fire/alarm panels, building management systems).
4. Restricted Information Systems (RIS): Systems built to strict government security specs, often obsolete or contract-specific.
5. Test Equipment: Hardware used to test products or deliverables (e.g., oscilloscopes, signal generators).

Note that Test Equipment is not the same thing as equipment used in an IT lab environment where you might test production environment changes. In general, your IT lab environment should be physically segmented from production and should only simulate production data.

Essentially, to be considered a Specialized Asset, the device must fit one of the five designated categories and be incapable of being configured to meet CMMC requirements without destroying its intended purpose.

For example, a legacy application would not be considered a Specialized Asset just because it cannot be redesigned to meet modern authentication standards. Instead, you can implement compensating controls like isolation (e.g., air-gapped, segmented), monitoring (e.g., logsys, IDS), and risk-based management (e.g., restricted physcial access), but this does not reclassify it as a Specialized Asset or alleviate it of CMMC requirements.