CMMC and Asset Inventory
Asset Inventory will drive your compliance. Whether you rely on the shared responsibility of zero trust models or protect information at your boundaries, asset inventory drives your security. When determining the cost of both compliance and security asset inventory drives your scoping.
Asset Inventory Matters.
You can not protect what you do not count.
What should good asset inventory be an inventory of?
Before we get there consider your process. How will you count the stuff you want to protect? Once a company gets over 5-10 employees mandatory inventory hurts. A lot. Not only is it time consuming but the data quickly falls out of date.
Asset inventory needs to be a living document fed by automation and cared for with good policy and procedures. You need a system to automate asset discovery. You need to collect up to date information on your assets, such as patching or log-ons. Some assets, like computer programs, may come with a software bill of materials that contain important information that gets automated.
Before you count stuff you must figure out how you will count it but you need to be strategic. For example a company may use their vulnerability scanner to identify assets connected to a system or they may use a spreadsheet and inventory scanners. Just develop a plan that helps to automate as much as possible while considering the many different practices of CMMC.
What Goes into Inventory?
- Unique Indentifier-Each asset needs its own name
- Platform type-Windows, Mac, Server
- Asset Categorization-Type of CMMC asset per scoping guidance
- Admin of asset-Maybe employee or a third party through shared responsibility
- The applications and processes that manage the inventory of this asset
- Network Connections-ways the asset connects
- Regulations-Laws that govern this asset
- Practices/Controls Met-CMMC practices that protect the asset
- Assets role in business
- Contractual Availability-Any rules that spell out access to asset
- Assigned Maintenance-Who maintains asset or third party relationship
- Link to Maintenance Plan
As Jill Lawson notes you will want to expand the CUI assets to a greater extent and include links to a CUI Management plan:
that identifies what CUI or CTI is being protected, who has access to it, where is resides at rest, how to dispose it, and the process of notifying the KO if a risk of aggregation of the CUI arises.
A CUI policy is one of the delta twenty practices that got cut from CMMC 2.0 and is listed as an NFO, an Appendix E of NIST-SP-800-171. As in the government assumes this is something you do. As an NFO control that means, while not assessed it is an expectation that you meet this for compliance with DFARS-7012.
Source: NIST SP 800-40r4 Guide to Enterprise Patch Management Planning:Preventive Maintenance for Technology
img: Counting flickr photo by anno.malie shared under a Creative Commons (BY) license