Contractor Risk Managed Assets

This is the most nuanced category and where most scoping mistakes happen.

CRMAs are assets that can handle CUI but aren’t intended to, because you have policies, procedures, and practices in place to prevent it. The key word is “intended” — these assets are technically capable of touching CUI, but your security controls keep them from doing so.

The classic example: A corporate laptop used for general business that’s on the same network as the CUI enclave. It could access CUI — the network path exists — but your access controls (security group restrictions on the CUI SharePoint, Conditional Access policies blocking non-CUI devices) prevent it from doing so. That laptop is a CRMA.

CRMAs do not need to be physically or logically separated from CUI Assets. They’re on the same network, maybe in the same office. What keeps them out of the CUI Asset category is your documented risk-based approach to managing them — not physical isolation.

---

How the Assessment Works

This is where good documentation saves you money:

1. If your documentation is solid — you’ve described the asset in the SSP, explained why it’s not a CUI Asset, documented the policies and controls keeping CUI off it, and the assessor is satisfied — they move on. No further assessment against individual CMMC requirements. This is the ideal outcome.

2. If your documentation is thin or raises questions — the assessor can do a limited check. This is a spot check, not a full assessment — the regulation explicitly states it cannot “materially increase assessment time or cost.” But it can surface findings if the controls you claimed don’t actually exist.

3. If the limited check finds problems — those specific gaps are assessed against the relevant CMMC requirements. What was supposed to be a documentation review becomes a finding.

The takeaway: CRMAs are the category where the quality of your SSP documentation directly determines whether the assessor spends five minutes or two hours on an asset.

---

What Qualifies as a CRMA

A CRMA must meet all of these conditions:

• It is not a CUI Asset (doesn’t process, store, or transmit CUI)
• It is not a Security Protection Asset (doesn’t provide security functions for the CUI environment)
• It is not physically or logically separated from CUI Assets (if it were separated, it would be Out-of-Scope)
• It is managed under your documented risk-based security policies and procedures

Examples: general-purpose corporate workstations on the same network as the CUI enclave, a shared printer outside the CUI area but on the same VLAN, a conference room AV system that connects to the corporate network.

---

What You Must Document

In your SSP, for each CRMA or category of CRMAs:

• What the asset is and what it does
• Why it doesn’t process, store, or transmit CUI (the controls that prevent it)
• How it’s managed under your risk-based security policies
• What would happen if the control preventing CUI access failed (risk analysis)

To a CEO or Board

CRMAs are where good documentation saves us real money. If we can clearly show that a system doesn’t handle CUI and explain the controls that prevent it, the assessor checks our paperwork and moves on. If our documentation is weak, they start digging — and digging costs time and creates findings.

Level 3 Warning

CRMAs at Level 2 become CUI Assets at Level 3. If you plan to pursue Level 3 later, every CRMA will face full assessment against all requirements. Consider treating your CRMAs as CUI Assets now if Level 3 is on the horizon — it saves a painful rework later.