Hello everyone,

Can someone please provide some clarification on this matter?

Where do you draw the line between Contractor Risk Managed Asset (CRMA) and Security Protection Asset (SPA). For some context, here is the actual definition of a SPA according to the CMMC L2 Assessment Scope Guidance document :

"Assets that provide security functions or capabilities to the contractor’s CMMC Assessment Scope, irrespective of whether or not these assets process, store, or transmit CUI"

So here is my main concern; when it comes to providing "security functions", I understand that this refers more to technical security of CUI, for instance a Firewall, a SIEM, a VPN concentrator, a Switch with VLANs, and so on. Now, when it comes to "capabilities", I'm not really sure what to make of that.

To be more precise, what I'm trying to figure it out is if I need to consider a platform that is used for employee training, and for tracking Incident Response activities, and other administrative and business-related (but also IT related) processes. This platform is not directly related to CUI, it does not provide any security to CUI, and it is not in the same network as CUI. I have seen some people said that if you provide training to your CUI employees then this is a SPA. However, I disagree, especially if the focus of CMMC is to protect the Confidentiality of CUI.

Your input on this is much appreciated! :)

Thanks!