• Requirement

    Restrict access to systems and system components to only those information resources that are owned, provisioned, or issued by the organization.

  • Discussion

    Information resources that are not owned, provisioned, or issued by the organization include systems or system components owned by other organizations and personally owned devices. Non-organizational information resources present significant risks to the organization and complicate the ability to employ a “comply-to-connect” policy or implement component or device attestation techniques to ensure the integrity of the organizational system.

More Info

  • Title

    Organizationally Controlled Assets
  • Domain

    Access Control
  • CMMC Level

  • Further Discussion

    Implementing this requirement ensures that an organization has control over the systems that can connect to organizational assets. This control will allow more effective and efficient application of security policy.


    You are the chief network architect for your company. Company policy states that all company-owned assets must be separated from all non-company-owned (i.e., guest or employee) assets. You decide the best way forward is to modify the corporate wired and wireless networks to only allow company-owned devices to connect [b]. All other devices are connected to a second (untrusted) network that non-corporate devices may use to access the internet. The two environments are physically separated and are not allowed to be connected. You also decide to limit the virtual private network (VPN) services of the company to devices owned by the corporation by installing certificate keys and have the VPN validate the configuration of connecting devices before they are allowed in [b].

    Potential Assessment Considerations

    • Can the organization demonstrate a non-company-owned device failing to access information resources owned by the company [b]?
    • How is this requirement met for organizational devices that are specialized assets (GFE, restricted information systems) [a,b]?
    • Does the company allow employees to charge personal cell phones on organizational systems [b]?

NIST 800-172A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!