Skip to content
CMMC Level 2 Reference | Ancitus

Security Protection Assets

Security Protection Assets (SPAs) don’t touch CUI themselves but provide security functions that protect the assets that do. They’re in scope because if they fail, your CUI protection fails. A compromised SIEM means your monitoring is blind. A compromised identity provider means your access controls are broken.

SPAs are assessed against the Level 2 requirements relevant to the capabilities they provide — not all 110 requirements. A SIEM gets assessed against audit and monitoring controls. A firewall gets assessed against network protection controls. An identity provider gets assessed against access control and authentication requirements. The assessor determines which requirements are relevant based on the security functions the SPA provides.

Examples Across People, Technology, and Facilities

Section titled “Examples Across People, Technology, and Facilities”
TypeExamples
PeopleCybersecurity consultants providing security services, managed service provider staff who perform system maintenance, enterprise network administrators who configure firewalls and switches
TechnologyCloud-based security tools (SIEM, EDR console, vulnerability scanner), hosted VPN services, identity providers (Entra ID if it serves both CUI and non-CUI users), DNS filtering services, backup infrastructure
FacilitiesCo-located data centers hosting CUI infrastructure, Security Operations Centers (SOCs), the office building where CUI systems are located (physical access controls make it an SPA)

Security Protection Data (SPD)

Section titled “Security Protection Data (SPD)”

SPD is the data these assets create or consume — and it’s in scope because an attacker can use it to compromise your CUI environment. SPD includes:

  • Configuration data required to operate the SPA (firewall rules, SIEM correlation rules, IDS signatures)
  • Log files generated by or ingested by the SPA (SIEM logs, audit records, VPN connection logs)
  • Vulnerability data related to in-scope assets (scan results showing which systems have which vulnerabilities)
  • Credentials that grant access to the in-scope environment (admin passwords, service account credentials, API keys)

Both hot storage (active logs in the SIEM) and cold storage (archived logs in cloud storage or offline media) are in scope. The method and location of cold storage must be documented — if your archived logs sit in an Azure Storage Account, that storage account is part of your scope.

What You Must Do

Section titled “What You Must Do”

Same as CUI Assets in terms of documentation: inventory, SSP, network diagram. The difference is the assessment treatment — relevant requirements only rather than all 110. But don’t underestimate the scope: a SIEM touches audit controls, a firewall touches network controls, and an identity provider touches access control and authentication — that can still be a significant number of requirements.