Skip to content

Scoping · Topic 06

Specialized Assets.

A defined set of asset types in scope — Government Property, IoT, OT, restricted systems, and test equipment.

Specialized Assets

Specialized Assets are a defined set of asset types within your CMMC Assessment Scope: Government Property, IoT/IIoT, Operational Technology (OT), Restricted Information Systems, and Test Equipment. Some can process, store, or transmit CUI — but what places an asset in this category is its type, not a judgment about whether it can be fully secured.

They’re in scope, but assessed differently: the assessor reviews your SSP per CA.L2-3.12.4 to verify you’ve documented these assets and explained how you manage them using your risk-based security policies, procedures, and practices. They do not assess Specialized Assets against the other CMMC practices. Specialized Assets may also qualify for Enduring Exceptions.

Government Property — all property the government owns or leases, covering both government-furnished property and property you acquire under the contract (defined in FAR 52.245-1). Does not include intellectual property or software. Government Furnished Equipment (GFE) is the common shorthand for the narrower subset the government provides directly.

IoT / IIoT Devices — smart devices with sensors, actuators, and network connectivity. Smart lighting, HVAC controls, connected fire and smoke detectors, environmental sensors, building automation systems. These typically run embedded firmware that can’t be hardened to 800-171 standards.

Operational Technology (OT) — systems that interact with the physical world. Industrial control systems, building management systems, SCADA, physical access control mechanisms, manufacturing equipment. OT often runs legacy software that can’t be patched without vendor approval and extensive testing.

Restricted Information Systems — systems configured to specific government security requirements and used to support a contract. Fielded systems, obsolete systems maintained for support purposes, and product deliverable replicas that must match the configuration of deployed systems.

Test Equipment — hardware used to test products and deliverables. Oscilloscopes, spectrum analyzers, power meters, logic analyzers, environmental test chambers, special test equipment specific to your contract deliverables.


In your SSP, for each Specialized Asset or category:

  • What the asset is and why it qualifies as a Specialized Asset
  • That it appears in your asset inventory
  • That it’s shown on your network diagram
  • How you manage it using your risk-based security policies, procedures, and practices — even if you can’t apply all 110 controls, you must explain what you do to manage the risk