Risk Managed Assets are not assessed against CMMC practices, but OSCs must demonstrate that they are identified and that the risk they pose to CUI is managed in accordance with organizational policies. The Scoping Guide specifies that these assets must be addressed in pre-assessment discussions and described in the scope diagram, but they are explicitly excluded from practice-by-practice assessment.
Exact extracts:
“Risk Managed Assets do not process, store, or transmit CUI but can access CUI Assets. These assets are not assessed against CMMC practices but must be discussed with the assessor.”
“Organizations must identify how these assets are managed by organizational policies.”
“Risk Managed Assets must be included in scope diagrams.”
Why the other options are incorrect:
A/B/D: Risk Managed Assets still must be documented, discussed, and managed with policies.
C: They are explicitly excluded from practice assessment.
Chosen Answer:
This is a voting comment (?). You can switch to a simple comment. It is better to Upvote an existing comment if you don't have anything to add.
Submit