CMMC 2.0 Scoping Guidance Limits the Scope of Cybersecurity Assessments
Client Alert | 1 min read | 12.23.21
The Department of Defense (DoD) recently released the initial guidance documents for Version 2.0 of its Cybersecurity Maturity Model Certification (CMMC) program, including its much-anticipated Scoping Guidance. While the guidance documents generally adhere to the current requirements for the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), the Scoping Guidance includes notable developments. Chief among them is the introduction of two asset categories — “Specialized Assets” and “Contractor Risk Managed Assets” — that could potentially limit the scope of a contractor’s CMMC assessment, as well as the number and types of assets to be assessed against the applicable CMMC practices.
- Specialized Assets include government property; internet of things (IoT) and industrial internet of things (IIoT) devices; operational technology; systems configured based entirely on government requirements and used to support a contract; and test equipment.
- Contractor Risk Managed Assets include computing resources that are capable of handling CUI but are prevented from doing so by the contractor’s security policies, procedures, and practices.
Contractors expecting to be subject to CMMC should carefully review the Scoping Guidance, as well as the other guidance documents, to determine whether and how they may wish to limit the scope of CMMC’s applicability.
Contacts
Partner, Crowell Global Advisors Senior Director
Insights
Client Alert | 4 min read | 08.07.25
On July 25, 2025, the Eleventh Circuit Court of Appeals issued its decision in United States ex. rel. Sedona Partners LLC v. Able Moving & Storage Inc. et al., holding that a district court cannot ignore new factual allegations included in an amended complaint filed by a False Claims Act qui tam relator based on the fact that those additional facts were learned in discovery, even while a motion to dismiss for failure to comply with the heightened pleading standard under Federal Rule of Civil Procedure 9(b) is pending. Under Rule 9(b), allegations of fraud typically must include factual support showing the who, what, where, why, and how of the fraud to survive a defendant’s motion to dismiss. And while that standard has not changed, Sedona gives room for a relator to file first and seek out discovery in order to amend an otherwise deficient complaint and survive a motion to dismiss, at least in the Eleventh Circuit. Importantly, however, the Eleventh Circuit clarified that a district court retains the discretion to dismiss a relator’s complaint before or after discovery has begun, meaning that district courts are not required to permit discovery at the pleading stage. Nevertheless, the Sedona decision is an about-face from precedent in the Eleventh Circuit, and many other circuits, where, historically, facts learned during discovery could not be used to circumvent Rule 9(b) by bolstering a relator’s factual allegations while a motion to dismiss was pending. While the long-term effects of the decision remain to be seen, in the short term the decision may encourage relators to engage in early discovery in hopes of learning facts that they can use to survive otherwise meritorious motions to dismiss.
Client Alert | 4 min read | 08.06.25
FinCEN Delays Implementation Date and Reopens AML/CFT Rule for Investment Advisers
Client Alert | 4 min read | 08.06.25
Series of Major Data Breaches Targeting the Insurance Industry
Client Alert | 11 min read | 08.06.25
