J.Gregory McVerry and Rick Dawson
You can not protect what you do not know you have. Asset Management requires an Organization Seeking Certification to locate, identify, and log inventory of the assets to your organization. The time to act has passed and we can not let our data slip like grains of sand.
Yet inventory refers to more than asset management. Many, if not all the CMMC Domains require you to inventory, define, identify or list items that will rely on good inventory practices. This domain has organizations work on IT Asset Management or ITAM.
As a Certified CMMC Professional you will assist an Organization seeking Certification to capture the flow of information across identities, technologies, facilities, and external service providers or ESPs, are part of the potential CMMC assessment scope.
The asset management will drive cybersecurity hygiene. You must help an organization understand the flow of Federal Contract Information and Controlled Unclassified Information. As a Certified CMMC Professional you need to work with your clients to answer, “Do know where CUI resides and how the data flows through your organization?”
An OSC will classify and label based on data present in the system. They must know if the asset processes, stores, or transmits FCI or CUI, or both. For CMMC Level 1 (L1) only assets classified as FCI are considered in-scope
CMMC Level 3 (L3) Assessments get conducted whan an organization transmits, stores, or processes CUI. Often these organizations also have FCI. If an organization for example uses two different enclaves, one for FCI and one for CUI they will need two different assessments. If the FCI and CUI get comingled in the same system an OSC will seek a single assessment from a C3PAO.
As a Certified CMMC Professional you can help companies with a complex system and small budgets save money if they can categorize assets as in scope or knowing scope.
Sometimes your assets dictate that growing the scope, so the entire company is a controlled environment is often cheaper than trying to limit scope to an enclave. This holds especially true for many small manufacturers that cannot add separation between CUI assets and normal business practices such as using an Enterprise Resource Planning (ERP) tool.
As a CCP you will asset clients in categorizing five different types of assets:
|Control Unclassified Information Assets
|Assets that process, store, or transmit CUI|
|Security Protection Assets
|Assets that provide security functions or capabilities to the contractor’s CMMC assessment scope even if these assets do not store or transmit CUI|
|Contractor Risk Managed Assets
|Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures and practices in place|
|Assets that may or may not process store or transmit but out of scope of CMMC beyond documenting risk mitigation in the SSP through security policy, procedures and practices|
|Out of Scope Assets||Assets that cannot process, store, or transmit CUI|
As a CCP you must work with companies to develop their Asset inventory as a method to list and provides details of the assets the company owns. This can cover a range of different types of assets, from tangible fixed assets such as property and equipment, intangible assets such as intellectual property. We must count our computers and printers and thinking about what gets plugged in provides a good starting point for many clients a CCP will help.
But with Asset Management you must think behind the wall. Physical asset management system can tell you the location of a computer, it cannot answer the questions like, “What operating systems are our laptops running?” and “Which devices are vulnerable to the latest threat?” The type of questions a CCP must answer to track the flow of FCI and CUI through IT asset management (ITAM).
An effective IT asset management (ITAM) solutions tie together physical and virtual assets and provide management with a complete picture of what, where, and how assets get used. ITAM enhances visibility for security analysts, which leads to better asset utilization and security.
As a CCP you will need to match the IT Asset Management system to the size and culture of a company. Many small to medium size companies still use a boots on the ground approach to inventory and have a manual approach of walking around and counting devices. Older institutions, such as Universities and manufacturers, may have inventory practices that predate the Internet. Maintenance, or another department may do inventory of IT devices. As a CCP get to know an organization as you craft their IT Asset Management (ITAM)
Many Organizations Seeking Certification do inventory well and have mature inventory systems attached to their business optimizations and stand procedures. A good CCP will recognize in house expertise and existing systems. A company who eeks out margins at the end of the Defense supply chain can count scraps to the micrograms. Utilize this existing mindset and manufacturing metaphors to extend this expertise to endpoint detection.
A CCP should help organize move towards a more automated and integrated approach to IT Asset Management (ITAM) Key aspects of ITAM programs include:
- Asset inventory – Getting a comprehensive inventory of all hardware, software, and network assets
- License management – Ensuring all assets are running properly licensed software
- Lifecycle management – Deciding which assets should be decommissioned, managing the software licenses on these assets, and updating the inventory
Yet the above approach would only help with four out of five CMMC asset categories. We must also consider the Security Protection Assets. Basically all the cybersecurity stuff a company uses and pays for (often a CCP finds duplicative or unused software with expensive monthly subscriptions or unused seats) to protect their systems. Your cybersecurity, or SPA inventory should:
- Gathering data from any source that provides detailed information about assets
- Correlating that data to generate a view of every asset and what’s on it
- Continually validating every asset’s adherence to the overall security policy
- Creating automatic, triggered actions whenever an asset deviates from that security policy
Automated asset management has significant advantages over manual inventory asset. Mainly all your data lives in one place rather than a variety of spreadsheets, clipboards, or bar code systems. Warranties, receipts, user manuals, STIGS, and baseline configurations get stored in one place. As a CCP you should help a company inventory all the important documentation required for all five types of CMMC asset categories.
As a CCP if you help move an OSC to asset inventory software, or build procedures into their existing systems your clients will find value in the ability to schedule maintenance automatically. Patching prevents problems. Good IATM will help to ensure systems stay up to date and employees can’t hit, “Not now” forever.
Many inventory software systems, especially mobile device management tools allow privileged users to perform remote updates and inspections of IT assets. You can inventory devices such as laptops or tablets. This saves the IT staff valuable time and resources. Manual until hurts inventory hurts a companies bottom line already.
Inventory software helps to reduce loss through theft of valuable assets via physical verification and tagging of fixed assets. This in turn helps to protect the confidentiality of CUI, the goal of the CMMC program. Asset inventory software can produce the most accurate inventory. Discrepancies get identified and resolved quicker and cheaper than manual methods. CCPs may want to consider doing assessments and contracts specially around the automation of IATM.
Reference Architecture and IATM
Once again document-based artifacts help to ensure success. IT Asset Management requires a set of policies and procedures to track, audit, and monitor the state of its IT assets, and maintain system configuration. Assets include:
computing device information technology (IT) system
- IT networks
- IT circuits
- Switches, Routers,
- Software (both an installed instance and a physical instance),
- Virtual computing platform (common in cloud and virtualized computing),
- Hardware (e.g., locks, cabinets, keyboards)
For many organizations a reference architecture can help align with both a Risk Management Framework and the NIST Framework for Improving Critical Infrastructure Cybersecurity. When a company with a more mature cyber hygiene stance conducts IATM through reference architecture they gain the ability to track:
- selection and application of baseline security controls
- continuous monitoring and reporting of asset status to a data store
- implementation of anomaly detection mechanisms. Examples include deviations from normal network traffic or deviations from established configuration baselines
- provision of context to detected anomalies and cybersecurity events within the reporting and analytic engine
Reference Architecture helps an organization Select, Implement, and Monitor assets. Key components of Risk Management Framework. These reference architectures provide a method to select a baseline, implement it (both configuration and enforcement), and detect changes in the baselines.
The practices under this domain refer to just the five in scope assets of CMMC but a CCP should help a company use ITAM to also address the Identify, Protect, Detect, and Respond aspects of the NIST Framework for Improving Critical Infrastructure Cybersecurity. When a company uses a Reference Architecture, they improve the ability to identify anomalies and add context to events, aiding in remediation. Another key step in good use of a Risk Management Framework.
Reference architecture will also include data collection, data storage, configuration management, policy enforcement, data analytics, and reporting/visualization. The reference architecture is depicted in Figure 5-1.
Reference Architecture and flow of CUI and FCI
Functionality, shows how data flows through an ITAM system. Tier 3 consists of enterprise assets.. Tier 3 includes the assets being tracked including hardware, software, and virtual machines.
Tier 2 includes the sensors and independent systems that feed data into the enterprise ITAM system. The alerting tools and the counting software. As a CCP you must understand what passive and active collection sensor and agents a companies Tier 2 systems include.
Tier 1 provides the pretty charts and data visualizations. It aggregates all of data from Tier 2 systems into business and security intelligence.
Figure 2 ITAM Reference Functionality
A strong reference architecture will drive asset categorization ITAM capabilities:
- Data Collection: capability to enumerate and report the unique software and system configuration of each asset and transfer that information to the Data Storage capability.
- Data Storage: capability to receive data from the data collection capability, re-formats as needed, and stores the data in a storage system.
- Data Analytics: capability to performs analytic functions on the data made available by the Data Storage capability.
- Corporate Governance and Policies included in the network/web sites that employees can visit, what software can be installed, and what network services are allowed.
- Configuration Management Systems to enforce Corporate Governance and Policies through actions such as applying software patches and updates, removing blacklisted software, and automatically updating configurations.
- Reporting and Visualizations: capability that generates human-readable graphical and numerical tables of information provided by the Data Analytics capability.
When you connect a reference architecture to strong IATM software all six a “run-time” capabilities happen periodically in an automated fashion. After performing the initial configuration and manually entering the asset into the asset database, most tasks get performed automatically.
IATM and Asset Lifecycle
To meet the assessment objectives required by the practices of the Asset Management domain a Certified CMMC Professional will have to help an Organization Seeking Certification track the life cycle of assets in scope for a CMMC assessment.In a typical lifecycle, an asset lifecycle includes:
- End-of-life phases.
Enrollment involves manual activities performed by IT staff such as assigning and tagging the asset with a serial number and barcode, loading a baseline IT image, assigning the asset to a owner, and, finally, recording the serial number as well as other attributes into a database. Many MDM devices or corporate buying programs, such as those through Apple do help automate the enrollment process. might also include primary location, hardware model, baseline IT image, and owner.
As the asset goes through the operations phase, changes can occur. Such changes could include introduction of new or unauthorized software, the removal of certain critical software, or the removal of the physical asset itself from the enterprise. These changes need to be tracked and recorded. As a consequence, asset monitoring, anomaly detection, reporting, and policy enforcement are the primary activities in this phase.
As a CCP you need to work with your clients to ensure assets get monitored using installed agents that reside on the asset, as well as network-based monitoring systems that scan and capture network traffic. These monitoring systems collect data from and about the assets and send periodic reports to the analytics engine. Each monitoring system sends reports with slightly differing emphasis on aspects of these enterprise assets. Reports are collected regarding installed and licensed software, vulnerabilities, anomalous traffic (i.e. traffic to new sites or drastic changes in the volume of traffic), and policy enforcement status.
As an asset reaches the end of its operational life, it goes through activities within the end-of-life phase that include returning the asset to IT support for data removal and removing the serial number from the registration database and other associated databases. Finally, the asset is prepared for physical removal from the enterprise facility.
Helping Companies with Asset Categorization
As a CCP you will need to work with your clients on identifying data low within their companies and understanding how this data flow impacts the five asset categories of a CMMC assessment.
You will want to work with clients to leverage their existing expertise and systems for inventory to help them automate IT asset management. Long term you want to help clients start to utilize reference architecture as a larger part of their risk based policy, plans and procedures.