CMMC 2.0 Scoping Guidance Limits the Scope of Cybersecurity Assessments
Client Alert | 1 min read | 12.23.21
The Department of Defense (DoD) recently released the initial guidance documents for Version 2.0 of its Cybersecurity Maturity Model Certification (CMMC) program, including its much-anticipated Scoping Guidance. While the guidance documents generally adhere to the current requirements for the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), the Scoping Guidance includes notable developments. Chief among them is the introduction of two asset categories — “Specialized Assets” and “Contractor Risk Managed Assets” — that could potentially limit the scope of a contractor’s CMMC assessment, as well as the number and types of assets to be assessed against the applicable CMMC practices.
- Specialized Assets include government property; internet of things (IoT) and industrial internet of things (IIoT) devices; operational technology; systems configured based entirely on government requirements and used to support a contract; and test equipment.
- Contractor Risk Managed Assets include computing resources that are capable of handling CUI but are prevented from doing so by the contractor’s security policies, procedures, and practices.
Contractors expecting to be subject to CMMC should carefully review the Scoping Guidance, as well as the other guidance documents, to determine whether and how they may wish to limit the scope of CMMC’s applicability.
Contacts
Partner, Crowell Global Advisors Senior Director
- Washington, D.C.
- D | +1.202.624.2698
- Washington, D.C. (CGA)
- D | +1 202.624.2500
Insights
Client Alert | 5 min read | 12.12.25
Eleventh Circuit Hears Argument on False Claims Act Qui Tam Constitutionality
On the morning of December 12, 2025, the Eleventh Circuit heard argument in United States ex rel. Zafirov v. Florida Medical Associates, LLC, et al., No. 24-13581 (11th Cir. 2025). This case concerns the constitutionality of the False Claims Act (FCA) qui tam provisions and a groundbreaking September 2024 opinion in which the United States District Court for the Middle District of Florida held that the FCA’s qui tam provisions were unconstitutional under Article II. See United States ex rel. Zafirov v. Fla. Med. Assocs., LLC, 751 F. Supp. 3d 1293 (M.D. Fla. 2024). That decision, penned by District Judge Kathryn Kimball Mizelle, was the first success story for a legal theory that has been gaining steam ever since Justices Thomas, Barrett, and Kavanaugh indicated they would be willing to consider arguments about the constitutionality of the qui tam provisions in U.S. ex rel. Polansky v. Exec. Health Res., 599 U.S. 419 (2023). In her opinion, Judge Mizelle held (1) qui tam relators are officers of the U.S. who must be appointed under the Appointments Clause; and (2) historical practice treating qui tam and similar relators as less than “officers” for constitutional purposes was not enough to save the qui tam provisions from the fundamental Article II infirmity the court identified. That ruling was appealed and, after full briefing, including by the government and a bevy of amici, the litigants stepped up to the plate this morning for oral argument.
Client Alert | 8 min read | 12.11.25
Director Squires Revamps the Workings of the U.S. Patent Office
Client Alert | 8 min read | 12.10.25
Creativity You Can Use: CJEU Clarifies Copyright for Applied Art
Client Alert | 4 min read | 12.10.25
Federal Court Strikes Down Interior Order Suspending Wind Energy Development
