As I understand, Security Protection Assets are assets which provide security functions to systems within a company's CMMC Assessment Scope and that these systems may or may not store or transmit CUI. If a company uses a cloud-based version of a Security Protection Assets, does the SPA need to be FedRamp certified (or equivalent).
[link] [comments]