Specialized Assets

Specialized Assets are systems that can process, store, or transmit CUI but can’t be fully secured to meet all 110 requirements. Their nature — firmware limitations, government ownership, operational constraints — makes full compliance impractical or impossible.

They’re in scope, but assessed differently: the assessor reviews your SSP to verify you’ve documented these assets and explained how you manage them using your risk-based security policies. They do not assess Specialized Assets against individual CMMC requirements. Specialized Assets may also qualify for Enduring Exceptions.

The Five Types

Government Furnished Equipment (GFE) — equipment the government owns or leases and provides for your use. Includes equipment you purchased to government-required specifications under contract terms (defined in FAR 52.245-1). Does not include intellectual property or software.

IoT / IIoT Devices — smart devices with sensors, actuators, and network connectivity. Smart lighting, HVAC controls, connected fire and smoke detectors, environmental sensors, building automation systems. These typically run embedded firmware that can’t be hardened to 800-171 standards.

Operational Technology (OT) — systems that interact with the physical world. Industrial control systems, building management systems, SCADA, physical access control mechanisms, manufacturing equipment. OT often runs legacy software that can’t be patched without vendor approval and extensive testing.

Restricted Information Systems — systems configured to specific government security requirements and used to support a contract. Fielded systems, obsolete systems maintained for support purposes, and product deliverable replicas that must match the configuration of deployed systems.

Test Equipment — hardware used to test products and deliverables. Oscilloscopes, spectrum analyzers, power meters, logic analyzers, environmental test chambers, special test equipment specific to your contract deliverables.

---

What You Must Document

In your SSP, for each Specialized Asset or category:

• What the asset is and why it qualifies as a Specialized Asset
• That it appears in your asset inventory
• That it’s shown on your network diagram
• How you manage it using your risk-based security policies, procedures, and practices — even if you can’t apply all 110 controls, you must explain what you do to manage the risk

To a CEO or Board

Specialized Assets are systems we can’t fully lock down — government equipment, manufacturing systems, test equipment — but we document how we manage the risk. The assessor reviews our documentation rather than testing each control individually.

Enduring Exceptions

Specialized Assets are the primary candidates for Enduring Exceptions — permanent situations where full compliance isn’t feasible. An Enduring Exception documented in the SSP with mitigations is assessed as MET. No remediation plan is needed because remediation isn’t feasible.