April 2, 2026

What is "relevant" for SPA? Addressing controls vs. implementing controls

As promised! Several folks wrote to say they were interested in this subject, particularly with regard to Security Protection Assets (SPA). So here we go.

First, a definition from 32 CFR 170 (the CMMC Program final rule):

Security Protection Assets (SPA) means assets providing security functions or capabilities for the OSA’s CMMC Assessment Scope. (CMMC-custom term)

Common SPA include firewalls, antivirus software, MDM applications, badging systems, camera systems, locks on doors (even if they are dumb! keys must be managed under PE.L2-3.10.5).

The Scoping Guide for L2 tells us that the OSA (Organization Seeking Assessment -- that's you) Requirements for SPA are

• Document in the asset inventory
• Document asset treatment in the SSP
• Document in the network diagram of the CMMC Assessment Scope
• Prepare to be assessed against CMMC Level 2 security requirements

Since these are the exact same OSA Requirements for CUI Assets, it appears that DoD/DoW expects you to apply all the same controls to SPA that you do for CUIA. However, the CMMC Assessment Requirements state that SPA are to be assessed against Level 2 security requirements that are "relevant to the capabilities provided."

So, what does "relevant" mean in this context? Many assessors believe that SPA are only assessed on what they actually do to provide security to the CMMC assessment scope. (I've written about this before.)

Many people get really upset about having to implement all 110 controls on SPA, but I think it's important to understand that it's not required to implement all 110, but it is required that you address all 110. What does that mean?

Put simply, it means you read the control (and the AOs of course), look at the SPA in question, and decide whether this control is applicable or not. If it is applicable, then you implement it. If not, you ignore it. Regardless of the result of your determination, you have addressed the control.

The most famous example routinely used is the three controls in the Awareness & Training (AT) domain:

3.2.1: Ensure that managers, systems administrators, and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.

3.2.2: Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.

3.2.3: Provide security awareness training on recognizing and reporting potential indicators of insider threat.

Let's say the SPA in question is your firewall. Are any of these three controls applicable to your firewall? No. You have now addressed these three controls for your firewall.

Let's say the SPA in question is the system administrator that manages your firewall. Are any of these three controls applicable to that individual? Yes, all three of them are. You add these to your todo list. You have addressed these three controls for your firewall administrator.

In summary,

• You address a control by reading it and making a determination as to whether it is applicable to the asset in question.
• If yes, you implement it for that asset.
• If no, you ignore it for that asset.
• You have addressed that control for that asset.

If you take the time to walk through all 110 controls for your firewall, you will quickly realize that only a small percentage are actually applicable to your firewall. Those you implement, the others you ignore -- after *addressing* each one to determine applicability.

Need help? Reach out.

Sincerely,

Glenda R. Snodgrass, CCP/CCA/Lead CCA
grs@theneteffect.com
The Net Effect, LLC
www.theneteffect.com
251-433-0196 x107