The Five Specialized Asset Categories in CMMC Scoping

Most contractors build an asset inventory assuming every asset is either fully in scope or fully out. CMMC has a third category. It has five names, and each carries its own assessment treatment.

The regulation that creates this category is 32 CFR § 170.19(c)(1) Table 3, supported by the CMMC Level 1 and Level 2 Scoping Guides. The five sit between the standard CUI Asset bucket and the Out-of-Scope bucket because they share one trait. They can process, store, or transmit FCI or CUI, but they can’t be fully secured against the standard CMMC requirements. Hardware, lifecycle, or contract terms prevent it.

Knowing which category each asset falls into is the difference between an inventory the assessor accepts and one rejected at the pre-assessment scoping review. Our CUI scoping piece covers the broader categorization. This one sits inside that, in the specialized layer.

The Five Categories

Government Furnished Equipment

Government Furnished Equipment, or GFE, is equipment provided by the federal government for contract performance. It belongs to the government. Contract terms govern its use, configuration, and disposition. The contractor is custodian, not owner.

That ownership matters for scoping. The contractor cannot reconfigure a GFE laptop to a preferred security baseline. The government already set the baseline. The contractor’s job is to use the equipment within the contract’s terms and to document that the equipment exists, what it touches, and where it sits in the network.

GFE shows up most often as laptops issued for classified or controlled program work. It also includes program-specific tablets, encrypted radios, secure phones, and program-furnished servers. If the line item appears on a contract delivery and the asset tag points to a federal agency, it’s GFE.

Internet of Things or Industrial Internet of Things

IoT and IIoT cover connected devices with limited compute, limited storage, and limited ability to host a standard endpoint agent. Smart sensors, networked printers, badge readers, conference room hardware, building automation controllers, networked cameras. These devices have an IP address and a function, but they can’t reasonably be patched, hardened, or monitored the way a workstation can.

The risk is that an IoT device can sit on a network segment carrying FCI or CUI without anyone realizing it. A networked printer handling documents containing CUI is part of the data flow. So is a conference room display mirroring a screen during a controlled briefing.

Operational Technology

Operational Technology, or OT, covers industrial control systems, SCADA equipment, programmable logic controllers, manufacturing execution systems, and the physical-process infrastructure that runs a production environment. OT was built for uptime and safety, not confidentiality. Many systems run vendor-locked firmware that can’t be patched without breaking warranty, certification, or both.

OT matters most for manufacturers and integrators. A defense manufacturer whose CNC machines pull tooling files derived from CUI drawings has OT in scope. So does a fabricator whose quality-management system stores controlled test results. Our CMMC for manufacturing piece walks the manufacturer-specific implications.

Restricted Information Systems

Restricted Information Systems are configured to meet special access requirements that often exceed standard CMMC controls. Classified networks, program-specific isolated environments, and systems operating under contractually mandated restrictions all fall here.

The category exists because some systems can’t be open to standard CMMC assessment procedures. An assessor cannot walk in and run normal evidence collection inside a SCIF. The system has its own security regime, often accredited under a separate framework. CMMC accommodates that by giving these systems their own treatment.

Test Equipment

Test equipment is the category most often mis-scoped. It’s hardware used for measurement, calibration, verification, or environmental testing. Oscilloscopes recording waveforms from controlled-design hardware. Network analyzers capturing traffic for engineering validation. Environmental chambers logging telemetry to a controlled product test. The equipment isn’t a general-purpose computer. It runs purpose-built firmware, sometimes decades old.

The reason it can’t be fully secured is the same reason it works. Test equipment is calibrated, certified, and stable on purpose. Patching the operating system risks breaking the calibration certificate. Encrypting storage risks corrupting the measurement record. Standard endpoint controls invalidate the equipment.

How Treatment Differs by Level

The five categories share the label “specialized,” but they don’t share a single treatment. The level changes the rules.

At Level 1, the L1 Scoping Guide states explicitly that specialized assets are not part of the Level 1 self-assessment scope and are not assessed against CMMC requirements. There are no documentation requirements for these assets at L1. Recognizing the category still matters in practice (knowing what’s specialized helps a contractor make good architectural choices about FCI flows), but at L1 the assessor isn’t reviewing the specialized asset itself.

At Level 2, the rules tighten. Per 32 CFR § 170.19(c)(1) Table 3 and the L2 Scoping Guide, specialized assets must be documented in the asset inventory, addressed in the SSP, and shown as managed using the contractor’s risk-based security policies, procedures, and practices. The assessor reviews SSP coverage for these assets but doesn’t assess them against the other CMMC security requirements. Acknowledgment plus risk-managed handling, not control-by-control compliance. Specialized assets may also be eligible for an Enduring Exception where called out in the L2 and L3 Scoping Guides.

At Level 3, the standard rises again. Specialized assets remain in scope, and the regulation permits intermediary devices to provide CMMC security capabilities for assets that can’t host them directly. A hardened gateway sitting in front of OT that can’t run an endpoint agent can carry the capability, and the gateway itself falls into its in-scope category and is assessed under those rules.

The pattern across levels: at L1, the specialized asset is outside the assessment scope. At L2, document it and prove the risk treatment. At L3, document it and prove the compensating architecture.

Common Mistakes

Two failure modes show up repeatedly.

The first is over-scoping. A contractor treats every piece of test equipment as if it must meet the full set of L2 controls. The result is a remediation roadmap with line items the equipment can never satisfy, findings on assets that should have been documented as specialized, and time spent trying to encrypt a 1998 oscilloscope. The fix is to read § 170.19(c)(1) Table 3 carefully.

The second is under-scoping. A contractor misses an IoT device that touches an FCI or CUI data flow. Networked printers, document scanners, building-control systems, and conference room hardware are the most common offenders. They get missed in network diagrams. The fix is a network sweep keyed to the boundary diagram. If it has an IP address and sits inside the assessment boundary, it’s a standard asset, a specialized asset, or out of scope. No fourth option.

What to Do With This

Specialized assets are contextual judgment, not a checklist. The regulation gives the categories and the treatment. The environment gives the facts. The work is matching the two without forcing every asset into the standard bucket and without letting an asset that handles FCI or CUI slip out of scope because it didn’t fit a template.

Read § 170.19(c)(1) Table 3 before drafting the asset inventory. Map every connected device to a category before the assessor does it for you. If the answer isn’t obvious, document the judgment and the reasoning. That documentation is what separates an inventory the C3PAO accepts from one that triggers a scope review.