SPA

A Security Protection Asset (SPA) is an asset that provides security protection functions for the in-scope Controlled Unclassified Information environment. SPAs are not themselves processing or storing CUI, but they are responsible for protecting the assets that are.

Common SPAs include: SIEM and log aggregation platforms, endpoint detection and response (EDR) agents, identity providers and MFA platforms (Entra ID, Okta, Duo), firewalls and network security appliances, vulnerability scanners (Nessus, Qualys, Rapid7), backup and recovery systems, and managed detection and response (MDR) service providers.

Under CMMC Level 2, SPAs are in scope for the assessment. They must meet the relevant NIST SP 800-171 requirements that apply to security protection functions, and the contractor must include them in the SSP and the asset inventory. External SPAs (cloud-delivered security services) are subject to the shared responsibility matrix and FedRAMP Moderate requirements.