People, Technology, and Processes
CMMC assesses the entire Organizational Security Control (OSC) environment — not a subset of it. But "environment" is not self-defining. Every asset, every system account, and every business process that an assessor can reasonably argue touches CUI is in scope unless you have documented a defensible reason it is not. An undefined boundary is an open invitation for scope creep during the assessment.
The goal of this chapter is to define that boundary tightly before any assessor arrives. The work here produces three artifacts that feed directly into the System Security Plan (SSP): an asset inventory classified by CMMC category, a people inventory showing who has access to what, and a process map linking business workflows to the systems that support them. Getting this right reduces assessment burden, focuses implementation effort on the right systems, and gives the assessor a clear picture of what they are evaluating.
Asset Categories
CMMC defines four asset categories. Classification is not a labeling exercise — it determines which controls apply and whether the asset appears in the formal assessment scope.
| Category | Definition | Examples | Assessment Implication |
|---|---|---|---|
| CUI Assets | Systems that process, store, or transmit CUI directly. | Engineering workstations, SharePoint sites containing drawings, Exchange mailboxes receiving government data, file servers with CUI directories. | All 110 CMMC Level 2 practices apply. Full assessment scope. |
| Security Protection Assets (SPA) | Systems that provide security functions for CUI Assets but do not process CUI directly. | SIEM, IdP (Entra ID), MFA system, MDM (Intune), vulnerability scanner, Defender for Endpoint, network firewall. | All 110 CMMC Level 2 practices apply. Full assessment scope. An SPA compromise can expose CUI even though the SPA never holds CUI itself. |
| Contractor Risk Managed Assets (CRMA) | Assets connected to the environment that could affect CUI security, managed through documented organizational risk rather than full CMMC controls. | Personal phones used solely for MFA push notifications, guest Wi-Fi networks physically separated from CUI systems, time-tracking SaaS with no CUI access, building badge systems on an isolated network. | Reduced assessment footprint. Must be documented with a risk acceptance statement in the SSP. Assessors will verify the separation claims. |
| Out of Scope Assets | Systems physically and logically separated from the CUI environment with no pathway to CUI data or CUI systems. | A standalone lab network for non-program R&D, a retail point-of-sale system in a separate facility, employee personal devices that are blocked from corporate resources entirely. | No CMMC controls required. Must be demonstrably isolated — "we think they're separate" is not sufficient documentation. |
Organizations that configure security controls first and classify assets later invariably over-scope. Start with a list of every system in the organization, classify each one, and then apply controls only to CUI Assets and SPAs. This sequencing also reveals CRMA candidates — assets you can defensibly exclude with a risk acceptance rather than a full control implementation.
CUI Assets vs. SPAs — The Practical Distinction
The difference matters operationally. A CUI Asset holds or moves CUI. A SPA protects CUI Assets but does not itself hold CUI. Both require full CMMC controls, but the control emphasis differs: CUI Assets drive requirements like media protection (MP), access control to data (AC), and audit logging of data access (AU). SPAs drive requirements like configuration management (CM), system integrity (SI), and personnel security for administrators (PS).
Entra ID is an SPA. It never holds CUI but it controls who can access everything that does. A compromise of Entra ID is functionally equivalent to a compromise of every CUI Asset it protects.
People in Scope
Every person with interactive access to a CUI Asset or an SPA is in scope for CMMC. This includes both the access itself and the onboarding/offboarding processes that govern it.
| Role | Access Type | In Scope? | Notes |
|---|---|---|---|
| CUI Users (engineers, PMs, program staff) | Direct CUI access — read, create, modify, transmit. | Yes — CUI Asset users | Primary population. All AC, AT, and IA controls apply. |
| IT Administrators | Privileged access to CUI Assets and SPAs — configuration, provisioning, key management. | Yes — SPA administrators | Privileged account controls (AC.L2-3.1.6) apply. Separate admin accounts required. |
| Security Team (ISSO, ISSM) | Read access to logs, SIEM, vulnerability data. Write access to security configuration. | Yes — SPA administrators | Likely overlap with IT admin role in small DIB organizations. Document the roles explicitly regardless. |
| HR (HRIS system access) | System access only — no CUI in HR system. | Conditional | If the HRIS does not process CUI and is not integrated with a CUI Asset or SPA, it may be out of scope. If it feeds account provisioning into Entra ID, the HRIS is an SPA. |
| Finance (ERP) | Accounting system access. | Conditional | If the ERP processes contract-related data that constitutes CUI (e.g., cost reporting on a CUI contract), the ERP and its users are in scope. If the ERP is finance-only with no CUI, document the separation. |
| Subcontractors | Access to CUI systems via VPN, Entra B2B, or shared portals. | Yes | Subcontractors accessing CUI Assets or SPAs are fully in scope. They require CMMC training, phishing-resistant MFA, and background screening per your contracts. |
| Managed Service Provider (MSP) | Privileged remote access to CUI Assets or SPAs. | Yes — treated as privileged administrators | MSP access is one of the highest-risk vectors. The MSP's own CMMC posture, access controls, and supply chain status must be documented in the SSP. |
| External Auditors / Assessors | Time-limited read access for audit purposes. | Yes — temporary privileged access | Access must be formally authorized, time-bounded, and logged. Auditors do not require ongoing accounts. |
MSP and subcontractor access is among the most common gaps identified in CMMC gap assessments. Document every third party with any form of access to in-scope systems, the access method, the authorization date, and the review cadence. An assessor who finds an undocumented MSP account during the assessment will treat it as a control failure, not an oversight.
Technology Inventory
The technology inventory is the backbone of the SSP. It must account for every asset in the CUI and SPA categories and provide the assessor with a defensible picture of the environment boundary.
Inventory Categories
Endpoints
- Managed Windows devices (laptops, desktops) — typically CUI Assets if users access CUI on them, or SPAs if used exclusively for IT administration.
- Mobile devices enrolled in Intune — CUI Assets if CUI email or documents are accessible; CRMA if restricted to MFA push only with MAM policies blocking CUI sync.
- Printers and MFPs — CUI Assets if they store or forward scanned CUI documents; CRMA if they are isolated and print-only with no document storage.
Servers
- On-premises file servers containing CUI directories — CUI Assets.
- On-premises domain controllers — SPAs (they control access to CUI systems).
- On-premises application servers hosting CUI-processing applications — CUI Assets.
- Infrastructure servers (DNS, DHCP, patch management) — SPAs.
Cloud Services
- M365 GCC High tenant — primary SPA and CUI Asset (Exchange Online, SharePoint, Teams).
- Azure Government subscriptions — asset category depends on what runs there; VMs processing CUI are CUI Assets.
- SaaS tools — must be evaluated individually. CUI in a SaaS that is not FedRAMP Authorized in the appropriate impact level is a control gap, not a CRMA candidate.
Network Devices
- Perimeter firewall — SPA.
- Core switches carrying CUI traffic — SPA.
- VPN gateway providing remote access to CUI systems — SPA.
- Out-of-band management network — SPA.
- Guest Wi-Fi (physically separated, no routing to CUI VLANs) — CRMA if properly documented.
OT/IoT Most DIB organizations have limited OT exposure, but some defense manufacturers operate CNC equipment, test systems, or environmental monitoring on networks adjacent to CUI systems. If the OT network has any path to a CUI Asset or SPA, it must be classified. An air-gapped OT network with no CUI processing may be out of scope; document the separation explicitly.
- GCC High
- Commercial
M365 GCC High as the Primary SPA
In a GCC High-aligned environment, the M365 GCC High tenant is simultaneously the largest SPA and a CUI Asset in its own right. Entra ID controls authentication to every CUI system. Exchange Online receives government email containing CUI. SharePoint and OneDrive store CUI documents. Teams facilitates CUI communication.
| M365 GCC High Component | CMMC Asset Category | Rationale |
|---|---|---|
| Entra ID | SPA | Controls identity and access to all CUI Assets and SPAs. No CUI stored, but a breach exposes everything. |
| Intune | SPA | Enforces device compliance and configuration baselines across all managed endpoints. |
| Defender for Endpoint (MDE) | SPA | Provides EDR coverage across CUI Assets. Alerts and telemetry feed the security operations function. |
| Exchange Online | CUI Asset | Receives and stores email containing CUI. Subject to MP, AU, and AC controls. |
| SharePoint / OneDrive | CUI Asset | Stores CUI documents. Sensitivity labels and DLP enforce access and flow control. |
| Microsoft Teams | CUI Asset | CUI may be shared in chats and channel files. Treated as CUI Asset when CUI channels are in use. |
| Microsoft Purview | SPA | Provides classification, DLP, and audit capabilities that protect CUI Assets. |
| Defender for Cloud Apps (MCAS) | SPA | Provides session control and anomaly detection for cloud access. |
All devices enrolled in Intune are either CUI Assets (if the user accesses CUI on the device) or SPAs (if the device is used exclusively for IT administration with no CUI data). There is no enrolled device category that is automatically out of scope.
M365 Commercial as the Primary SPA
The same classification framework applies in a commercial M365 environment, but the boundary can be drawn more tightly if CUI is confined to specific SharePoint sites, specific distribution groups, or a specific sub-environment. Commercial organizations voluntarily aligning to NIST SP 800-171 Rev. 3 have more flexibility in scoping decisions than organizations undergoing formal CMMC assessment.
| M365 Commercial Component | NIST Asset Category | Notes |
|---|---|---|
| Entra ID | SPA | Same function as GCC High — controls access to all protected systems. |
| Intune | SPA | Device management and compliance enforcement. |
| Defender for Endpoint | SPA | EDR coverage across protected endpoints. |
| Exchange Online | Conditional CUI Asset | In scope only if CUI is received or stored in Exchange. If CUI is confined to specific mailboxes, document the scoping boundary. |
| SharePoint / OneDrive | Conditional CUI Asset | If CUI is confined to specific site collections, the boundary can be drawn at the site collection level. Requires strict access controls and DLP to prevent CUI from migrating to out-of-scope sites. |
| Teams | Conditional CUI Asset | Can be scoped to specific teams with CUI sensitivity labels. Requires robust DLP and guest access controls. |
Claiming that CUI is "confined to specific SharePoint sites" only holds if DLP policies actively prevent CUI from being copied to out-of-scope locations. A tightly scoped environment with weak DLP is worse than a broadly scoped environment with strong controls — the assessor will identify the gap and the scoping argument collapses.
Processes in Scope
Asset and people inventories capture what exists. The process inventory captures what happens — and connects business workflows to the systems and people supporting them. Any process that results in CUI being created, received, handled, or transmitted brings its supporting systems and personnel into scope.
| Business Process | CUI Involvement? | In-Scope Systems | Notes |
|---|---|---|---|
| Contract Intake and CUI Identification | Yes — government contracts and DDs may contain CUI upon receipt. | Exchange Online, SharePoint, document management system. | The intake process is where CUI enters the organization. Marking and classification procedures start here. |
| Engineering Design and Drawing Management | Yes — technical drawings, CAD files, specifications, and test data are typically CUI // SP-CTI. | Engineering workstations, CAD servers, SharePoint/OneDrive, PLM system. | The highest-volume CUI workflow for most defense manufacturers. Every system in this workflow is a CUI Asset. |
| Program Management and Government Reporting | Yes — program status, cost reports, and CDRLs often contain CUI. | Exchange Online, SharePoint, project management tools, ERP (if contract cost data is CUI). | Reporting back to the government is a CUI transmission event. Confirm the transmission path uses approved channels. |
| Subcontractor Management and Data Sharing | Yes — sharing technical data with subcontractors is a CUI flow event. | Email, SharePoint external sharing, secure file transfer tools. | CUI flow to subcontractors must be authorized in writing and covered by a Subcontractor Agreement specifying CMMC requirements. External sharing controls must be enforced technically, not just contractually. |
| Incident Response | Yes — IR investigation may involve access to CUI systems and CUI data logs. | SIEM, Defender XDR, ticketing system, communication channels used for IR coordination. | The IR process itself must be documented in the SSP. Systems used for IR coordination (e.g., a Slack workspace used during incidents) may become in-scope if CUI is discussed in them. |
| Personnel Onboarding and Offboarding | Indirect — creates and revokes access to CUI Assets and SPAs. | HRIS, Entra ID, Intune, Active Directory, ticketing system. | The onboarding/offboarding process is the enforcement point for PS.L2-3.9.1 and PS.L2-3.9.2. Automated de-provisioning is strongly recommended; manual offboarding processes are a recurring control gap. |
For each process, the scoping question is binary: does this process result in CUI being created, received, stored, or transmitted? If yes, every person who executes the process and every system that supports it is in scope. Document the answer in the SSP process narrative.
Building the SSP Asset Inventory
The SSP asset inventory is the formal record the assessor will review. It must be complete, current, and defensible. An inventory that was accurate twelve months ago and has not been updated since the last hardware refresh is a finding waiting to happen.
Inventory Construction Sequence
Start with CUI Assets, then work outward:
- Identify CUI Assets first. List every system where CUI is created, stored, processed, or transmitted. These are non-negotiable. Anything that touches CUI is in scope.
- Identify SPAs. For each CUI Asset, ask: what systems control access to it, monitor it, or protect it? Those are SPAs. Add them to the inventory.
- Identify CRMA candidates. For assets connected to the environment but not touching CUI directly, evaluate whether they can be managed as CRMA. Document the risk acceptance.
- Document out-of-scope assets. For anything claimed as out of scope, document the physical and logical separation controls. "It's on a different VLAN" is not sufficient without evidence that the VLAN is enforced at the firewall with a deny-all default posture.
Required Inventory Fields
Each asset record in the SSP must include at minimum:
| Field | Description |
|---|---|
| Asset Name / Identifier | Hostname, asset tag, or service name. |
| Asset Type | Endpoint, server, cloud service, network device, mobile, OT/IoT. |
| CMMC Category | CUI Asset, SPA, CRMA, or Out of Scope. |
| Asset Owner | Individual responsible for the asset's security configuration and patching. |
| Location | Physical location (facility, rack) or cloud region. |
| OS / Platform / Version | Operating system and version, or service tier and region for cloud assets. |
| IP Address / DNS Name | Primary address. For cloud services, the service endpoint. |
| Connected To | Assets this system communicates with in the CUI environment. |
| Last Updated | Date the record was last verified. |
The Entra device inventory and Intune device inventory together capture every managed endpoint in the tenant. Export both, cross-reference them, and use the combined list as the starting point for your endpoint asset inventory. Devices that appear in Entra but not in Intune — or vice versa — are a hygiene gap worth resolving before an assessment. Chapter 11-2 covers the asset inventory implementation in detail.
Network Diagram Requirement
The SSP must include a network diagram showing the relationships between in-scope assets. The diagram does not need to be architectural-grade artwork, but it must show:
- The CUI enclave boundary (logical or physical).
- Where CUI Assets reside relative to the boundary.
- Where SPAs sit relative to CUI Assets.
- External connections: internet egress, government network connections, VPN termination points, cloud service connections.
- Any CRMA assets connected to the environment with their separation controls indicated.
Assessors use the network diagram to identify undocumented connections. If a system appears connected to CUI Assets on the diagram but is not in the asset inventory, the assessor will ask why.
People & Technology — Compliance Control Mapping
- GCC High
- Commercial
The asset inventory and scoping work in this chapter directly satisfies or enables the following CMMC Level 2 practices:
| CMMC Practice | Requirement Summary | Artifact Produced by This Chapter |
|---|---|---|
| CA.L2-3.12.4 | Develop, document, and periodically update an SSP that describes the system boundary, operational environment, and implementation of security controls. | SSP asset inventory, network diagram, and process narrative. |
| CM.L2-3.4.1 | Establish and maintain baseline configurations for all CUI Assets and SPAs. | Asset inventory identifies which systems require a documented baseline configuration. |
| AC.L2-3.1.1 | Limit system access to authorized users, processes, and devices. | People inventory identifies authorized users per system. |
| AC.L2-3.1.2 | Limit system access to the types of transactions and functions authorized users are permitted to execute. | Role × access type mapping in the people inventory. |
| RA.L2-3.11.1 | Periodically assess risk to organizational operations, assets, and individuals from the operation of systems processing CUI. | Risk assessment scope is defined by the asset inventory. Assets not in the inventory cannot be formally risk-assessed. |
| PS.L2-3.9.1 | Screen individuals prior to authorizing access to systems containing CUI. | People inventory identifies which roles require screening under this control. |
| PS.L2-3.9.2 | Ensure that CUI is protected during and after personnel actions such as terminations and transfers. | Offboarding process mapping identifies which systems require de-provisioning and in what sequence. |
For organizations voluntarily aligning to NIST SP 800-171 Rev. 3, the same scoping work maps to the following security requirements:
| NIST SP 800-171 Rev. 3 Requirement | Requirement Summary | Artifact Produced by This Chapter |
|---|---|---|
| 3.12.4 | Develop, document, and periodically update an SSP. | SSP asset inventory, network diagram, and process narrative. |
| 3.4.1 | Establish and maintain baseline configurations for organizational systems. | Asset inventory identifies systems requiring documented baselines. |
| 3.1.1 | Limit system access to authorized users, processes acting on behalf of users, and devices. | People inventory identifies authorized users per system. |
| 3.1.2 | Limit system access to the types of transactions and functions authorized users are permitted to execute. | Role × access type mapping in the people inventory. |
| 3.11.1 | Periodically assess the risk to organizational operations and assets resulting from the operation of systems that process, store, or transmit CUI. | Risk assessment scope is derived from the asset inventory. |
| 3.9.1 | Screen individuals prior to authorizing access to systems containing CUI. | People inventory identifies personnel requiring screening. |
| 3.9.2 | Ensure that CUI is protected during and after personnel actions. | Offboarding process mapping identifies de-provisioning requirements. |
📩 Don't Miss the Next Solution
Join the list to see the real-time solutions I'm delivering to my GCC High clients.