Inventory Matters

Inventory matters. As Sarah Spencer CEO of SolonTek notes, “You cannot protect what you cannot see.”


“dandoodlescan065-inventory is waste” by Inha Leex Hale is licensed under CC BY

Now some people read the CMMC assessment guide for Level One and think, “Huh no inventory needed?”

Not true. You may not need to show your inventory results or policies for level one compliance but you will not be level one compliant without good inventory policy,

Think about assessment objective f of Access Control 1.001, “[f] system access is limited to authorized devices (including other systems).” You will need to inventory your systems for compliance.

What about CUI? If you read NIST-SP800-18 on writing a System Security Plan you quickly realize you need to inventory all your 7012 contracts and the data owner for each one.

Vincent Scott and I developed a quick table of “some” of the areas hit by good inventory. The word “identified” happens a ton in the CMMC assessment guides. You have to decide if this also means counting. This list will continue to grow so if you think we missed something please let us know.

Comment on LinkedIn or better yet get a blog and send me a webmention.

CMMC Level Domain Number Definition Assessment Objective NIST 171
1 Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices [c] devices (and other systems) authorized to connect to the system are identified; 3.1.1
1 Access Control AC.1.001 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices [f] system access is limited to authorized devices (including other systems). 3.1.1
2 Access Control AC.2.006 Limit use of portable storage devices on external systems [a] the use of portable storage devices containing CUI on external systems is identified and documented; 3.1.21
2 Access Control AC.2.011 Authorize wireless access prior to allowing such connections [a] wireless access points are identified; 3.1.16
2 Access Control AC.2.015 Route remote access via managed access control points [a] managed access control points are identified and implemented; 3.1.14
2 Access Control AC.2.016 Control the flow of CUI in accordance with approved authorizations [c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified; 3.1.3
3 Access Control AC.3.020 Control connection of mobile devices [a] mobile devices that process, store, or transmit CUI are identified; 3.1.18
3 Access Control AC.3.022 Encrypt CUI on mobile devices and mobile computing platforms [a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified; 3.1.19
2 Configuration Management CM.2.061 Establish and maintain baseline configurations and inventories of organizational systems throughout the respective system development life cycles [e] the system inventory includes hardware, software, firmware, and documentation; and 3.4.1
1 Identification and Authentication IA.1.076 Identify information system users, processes acting on behalf of users, or devices [c] devices accessing the system are identified. 3.5.1
1 Identification and Authentication IA.1.077 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems [c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access. 3.5.2
3 Media Protection MP.3.123 Prohibit the use of portable storage devices when such devices have no identifiable owner [a] the use of portable storage devices is prohibited when such devices have no identifiable owner. 3.8.8
1 Physical Protection PE.1.134 Control and manage physical access devices [a] physical access devices are identified; 3.10.5
2 System and Communications Protections SC.2.178 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device [a] collaborative computing devices are identified; 3.13.12
2 System and Communications Protections SC.2.179 Use encrypted sessions for the management of network devices [a] the organization has one or more policies and/or procedures for establishing connections to manage network devices; N/A
1 System and Informational Integrity SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems [a] designated locations for malicious code protection are identified; 3.14.2

Leave a comment

Your email address will not be published. Required fields are marked *