TroutTrout
Back to Glossary
Specialized assetCMMC Level 2OT CUI

Specialized Asset (CMMC)

3 min read

Specialized assets is a category defined in 32 CFR Part 170 — the CMMC Program Rule — for equipment that processes, stores, or transmits Controlled Unclassified Information but cannot be fully configured to meet all 110 NIST SP 800-171 Rev 2 controls. The category matters because CMMC scopes assessment differently for specialized assets than for general IT.

What counts as a specialized asset

The CMMC rule identifies five asset types:

  • Government-Furnished Equipment (GFE) — hardware provided by the customer that the contractor cannot reconfigure.
  • Internet of Things (IoT) — networked sensors, cameras, and embedded controllers without general-purpose operating systems.
  • Operational Technology (OT) — PLCs, DCS, SCADA, HMIs, CNCs, and industrial controllers running firmware.
  • Restricted Information Systems — systems whose configuration is constrained by contract, export control, or security classification.
  • Test Equipment — calibrated instruments, probes, and measurement systems where firmware changes invalidate the calibration.

How CMMC treats specialized assets

Specialized assets are in scope for the assessment but are evaluated against a reduced set of requirements. The SSP must identify each specialized asset, document the CUI that flows to or from it, and describe the compensating controls that protect it. The C3PAO will verify that the compensating controls are operating and that the Enduring Exception documentation is complete.

This is not a loophole. An asset marked as specialized still has to be risk-managed; it just cannot be held to controls its firmware does not support. The contractor takes on the burden of proving risk equivalence at the network and process layers.

Typical scenarios

  • A CNC controller receives G-code files that contain CUI technical drawings. The controller runs 10-year-old firmware with no TLS, no MFA, and no audit logs. It is a specialized OT asset. Compensating controls enforce identity, encryption, and logging at the network proxy in front of it.
  • A calibrated pressure sensor on a munitions test stand transmits readings over serial. It has no concept of authentication. It is specialized test equipment. Physical access control and network isolation are the compensating mechanisms.
  • A government-furnished inspection camera sits on a segment that touches CUI data flows. Its firmware is owned by the customer. It is GFE. The boundary around it is the control.

Related terms

Access Gate connection

Access Gate protects specialized assets by enforcing identity, encryption, and audit at the network layer — producing C3PAO-ready evidence for assets that cannot satisfy the controls themselves. See CMMC Enduring Exceptions for OT.

Other Terms

Affirming OfficialCMMC Level 2

Affirming Official (CMMC)

The Affirming Official is the senior company representative who certifies CMMC compliance under penalty of the False Claims Act — personally liable for the accuracy of every control statement in the SSP.

CMMC Level 2Advanced Cyber Hygiene

CMMC Level 2

CMMC Level 2 refers to the second level of the Cybersecurity Maturity Model Certification (CMMC), which is designed to ensure that Defense Industrial Base (DIB) contractors implement effective cyberse...

Compensating controlCMMC Level 2

Compensating Control (CMMC)

A compensating control is a security mechanism that provides equivalent protection when a NIST SP 800-171 control cannot be implemented on the asset itself — required whenever an asset qualifies for a CMMC Enduring Exception.

News & Insights

Resources & Insights.

Securing Modbus whitepaper
WhitepaperWhitepaper

Securing Modbus in Modern Industrial Environments

Zero Trust OT webinar
WebinarWebinar

Zero Trust for OT Networks

OT network architecture diagram
ArchitectureGuide

Reference Architectures for OT Security

All articles