CUI Assets

CUI Assets are the reason you need CMMC in the first place. These are the systems that touch the sensitive defense information in your contracts. Every other scoping decision flows from knowing exactly where your CUI lives, moves, and gets used.

An asset is a CUI Asset if it does any of the following with CUI:

Processes — the asset uses CUI in some way. Someone opens a CUI document on it, edits it, generates a report from it, prints it, or runs software that accesses CUI data. The workstation where an engineer edits a CUI drawing. The application server running the CUI database.

Stores — CUI sits on the asset, whether or not anyone is actively using it. Files on a hard drive, data in a database, documents in a SharePoint library, backups containing CUI data, or printed CUI in a filing cabinet. If CUI is at rest on it, it’s a CUI Asset.

Transmits — CUI moves through the asset. An email server that routes CUI messages, a VPN tunnel that carries CUI traffic, a network switch that forwards CUI packets between systems, or a firewall that inspects CUI traffic flows. The CUI doesn’t have to stop on the device — passing through it is enough.

---

The Assessment Implications

CUI Assets face the full weight of CMMC Level 2. Every one of the 110 requirements applies. Every assessment objective is evaluated. The assessor will examine documents, interview staff, and test mechanisms against every applicable control.

This is why minimizing the number of CUI Assets — through scoping, separation, and enclave design — is so valuable. Fewer CUI Assets means a smaller attack surface, less documentation, and a faster assessment.

---

What You Must Do

Inventory them. Every CUI Asset must appear in your asset inventory with its category, location, and function clearly documented. The assessor will review this inventory — if a system processes CUI and isn’t in the inventory, that’s a finding.

Document them in the SSP. Your System Security Plan must describe how CUI Assets are treated — what controls protect them, how they’re managed, and how they interact with other asset categories.

Include them in your network diagram. The assessment scope network diagram must show all CUI Assets and the boundaries separating them from other asset categories.

Prepare for full assessment. Every CUI Asset must satisfy all 110 Level 2 requirements. Your evidence binder needs documentation for each requirement as it applies to these assets.

To a CEO or Board

CUI Assets are the core of our compliance obligation — the systems where sensitive defense information lives, moves, and gets used. Every other scoping decision flows from knowing exactly where CUI is in our environment. The fewer CUI Assets we have, the smaller and cheaper our assessment.

Common Mistake

Not recognizing a system as a CUI Asset. A network switch that routes traffic between CUI systems is a CUI Asset because CUI transits it. A backup server containing copies of CUI files is a CUI Asset because CUI is stored on it. A shared printer in the CUI work area that has CUI in its print queue is a CUI Asset. Think through every path CUI takes.