CMMCDocs.comCRMA
Also known as: Contractor Risk Managed Asset
Contractor Risk Managed Asset — an asset that is not directly handling CUI but could affect the in-scope environment if compromised. Subject to limited NIST 800-171 controls.
A Contractor Risk Managed Asset (CRMA) is an asset that is not directly processing, storing, or transmitting Controlled Unclassified Information, but could affect the in-scope CUI environment if it were compromised. CRMAs sit between fully in-scope Information System (IS) assets and Out-of-Scope assets in the CMMC scoping model.
Examples of CRMAs include workstations on the same network segment as in-scope systems, infrastructure providing supporting services (DNS, DHCP, NTP) to the in-scope environment, or shared printers and multifunction devices that the in-scope environment uses. The contractor manages the risk of these assets through limited security controls, documents them in the SSP, and includes them in the asset inventory.
CRMAs are not subject to the full set of 110 NIST SP 800-171 requirements but must be protected to a degree consistent with the risk they represent to CUI.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account