Asset Management and Data Categorization in CMMC 2.0

J.Gregory McVerry and Rick Dawson

You can not protect what you do not know you have. Asset Management requires an Organization Seeking Certification to locate, identify, and log inventory of the assets to your organization. The time to act has passed and we can not let our data slip like grains of sand.

Yet inventory refers to more than asset management. Many, if not all the CMMC Domains require you to inventory, define, identify or list items that will rely on good inventory practices. This domain has organizations work on IT Asset Management or ITAM.

As a Certified CMMC Professional you will assist an Organization seeking Certification to capture the flow of information across identities, technologies, facilities, and external service providers or ESPs, are part of the potential CMMC assessment scope.

The asset management will drive cybersecurity hygiene. You must help an organization understand the flow of Federal Contract Information and Controlled Unclassified Information. As a Certified CMMC Professional you need to work with your clients to answer, “Do know where CUI resides and how the data flows through your organization?”

Asset Categorization

An OSC will classify and label based on data present in the system. They must know if the asset processes, stores, or transmits   FCI or CUI, or both. For CMMC Level 1 (L1) only assets classified as FCI are considered in-scope

CMMC Level 3 (L3) Assessments get conducted whan an organization transmits, stores, or processes CUI. Often these organizations also have FCI. If an organization for example uses two different enclaves, one for FCI and one for CUI they will need two different assessments. If the FCI and CUI get comingled in the same system an OSC will seek a single assessment from a C3PAO.

As a Certified CMMC Professional you can help companies with a complex system and small budgets save money if they can categorize assets as in scope or knowing scope.

Sometimes your assets dictate that growing the scope, so the entire company is a controlled environment is often cheaper than trying to limit scope to an enclave. This holds especially true for many small manufacturers that cannot add separation between CUI assets and normal business practices such as using an Enterprise Resource Planning (ERP) tool.

As a CCP you will asset clients in categorizing five different types of assets:

Control Unclassified Information Assets


Assets that process, store, or transmit CUI
Security Protection Assets


Assets that provide security functions or capabilities to the contractor’s CMMC assessment scope even if these assets do not store or transmit CUI
Contractor Risk Managed Assets


Assets that can, but are not intended to, process, store, or transmit CUI because of security policy, procedures and practices in place
Specialized Assets


Assets that may or may not process store or transmit but out of scope of CMMC beyond documenting risk mitigation in the SSP through security policy, procedures and practices
Out of Scope Assets Assets that cannot process, store, or transmit CUI


As a CCP you must work with companies to develop their Asset inventory as a method to list and provides details of the assets the company owns. This can cover a range of different types of assets, from tangible fixed assets such as property and equipment, intangible assets such as intellectual property. We must count our computers and printers and thinking about what gets plugged in provides a good starting point for many clients a CCP will help.

But with Asset Management you must think behind the wall. Physical asset management system can tell you the location of a computer, it cannot answer the questions like, “What operating systems are our laptops running?” and “Which devices are vulnerable to the latest threat?” The type of questions a CCP must answer to track the flow of FCI and CUI through IT asset management (ITAM).

An effective IT asset management (ITAM) solutions tie together physical and virtual assets and provide management with a complete picture of what, where, and how assets get used. ITAM enhances visibility for security analysts, which leads to better asset utilization and security.

As a CCP you will need to match the IT Asset Management system to the size and culture of a company. Many small to medium size companies still use a boots on the ground approach to inventory and have a manual approach of walking around and counting devices. Older institutions, such as Universities and manufacturers, may have inventory practices that predate the Internet. Maintenance, or another department may do inventory of IT devices. As a CCP get to know an organization as you craft their IT Asset Management (ITAM)

Many Organizations Seeking Certification do inventory well and have mature inventory systems attached to their business optimizations and stand procedures. A good CCP will recognize in house expertise and existing systems. A company who eeks out margins at the end of the Defense supply chain can count scraps to the micrograms. Utilize this existing mindset and manufacturing metaphors to extend this expertise to endpoint detection.

A CCP should help organize move towards a more automated and integrated approach to IT Asset Management (ITAM) Key aspects of ITAM programs include:

Yet the above approach would only help with  four out of five CMMC asset categories. We must also consider the Security Protection Assets. Basically all the cybersecurity stuff a company uses and pays for (often a CCP finds duplicative or unused software with expensive monthly subscriptions or unused seats) to protect their systems. Your cybersecurity, or SPA inventory should:

Automated asset management has significant advantages over manual inventory asset. Mainly all your data lives in one place rather than a variety of spreadsheets, clipboards, or bar code systems. Warranties, receipts, user manuals, STIGS, and baseline configurations get stored in one place.  As a CCP you should help a company inventory all the important documentation required for all five types of CMMC asset categories.

As a CCP if you help move an OSC to  asset inventory software, or build procedures into their existing systems your clients will find value  in the ability to schedule maintenance automatically. Patching prevents problems. Good IATM will help to ensure systems stay up to date and employees can’t hit, “Not now” forever.

Many inventory software systems, especially mobile device management tools allow privileged users to perform remote updates and inspections of IT assets. You can inventory devices  such as laptops or tablets. This saves the IT staff valuable time and resources. Manual until hurts inventory hurts a companies bottom line already.

Inventory software helps to reduce loss through theft of valuable assets via physical verification and tagging of fixed assets. This in turn helps to protect the confidentiality of CUI, the goal of the CMMC program. Asset inventory software can produce the most accurate inventory. Discrepancies get identified and resolved quicker and cheaper than manual methods. CCPs may want to consider doing assessments and contracts specially around the automation of IATM.

Reference Architecture and IATM

Once again document-based artifacts help to ensure success. IT Asset Management requires  a set of policies and procedures to track, audit, and monitor the state of its IT assets, and maintain system configuration. Assets include:

computing device information technology (IT) system

For many organizations a reference architecture can help align with both a Risk Management Framework and the NIST Framework for Improving Critical Infrastructure Cybersecurity. When a company with a more mature cyber hygiene stance conducts IATM through reference architecture they gain the ability to track:

Reference Architecture helps an organization Select, Implement, and Monitor assets. Key components of  Risk Management Framework. These reference architectures provide a method to select a baseline, implement it (both configuration and enforcement), and detect changes in the baselines.

The practices under this domain refer to just the five in scope assets of CMMC but a CCP should help a company use ITAM to also address the Identify, Protect, Detect, and Respond aspects of the NIST Framework for Improving Critical Infrastructure Cybersecurity. When a company uses a Reference Architecture, they improve the ability to identify anomalies and add context to events, aiding in remediation. Another key step in good use of a Risk Management Framework.

Reference architecture will also include data collection, data storage, configuration management, policy enforcement, data analytics, and reporting/visualization. The reference architecture is depicted in Figure 5-1.

Reference Architecture and flow of CUI and FCI

Functionality, shows how data flows through an  ITAM system. Tier 3 consists  of enterprise assets.. Tier 3 includes the assets being tracked including hardware, software, and virtual machines.

Tier 2 includes the sensors and independent systems that feed data into the enterprise ITAM system. The alerting tools and the counting software. As a CCP you must understand what passive and active collection sensor and agents a companies Tier 2 systems include.

Tier 1 provides the pretty charts and data visualizations. It aggregates all of data from Tier 2 systems into business and security intelligence.

Figure 2 ITAM Reference Functionality

A strong reference architecture will drive asset categorization ITAM capabilities:

When you connect a reference architecture to strong IATM software all six a “run-time” capabilities happen periodically in an automated fashion. After performing the initial configuration and manually entering the asset into the asset database, most tasks get performed automatically.

IATM and Asset Lifecycle

To meet the assessment objectives required by the practices of the Asset Management domain a Certified CMMC Professional will have to help an Organization Seeking Certification track the life cycle of assets in scope for a CMMC assessment.In a typical lifecycle, an asset lifecycle includes:

Enrollment involves manual activities performed by IT staff such as assigning and tagging the asset with a serial number and barcode, loading a baseline IT image, assigning the asset to a owner, and, finally, recording the serial number as well as other attributes into a database. Many MDM devices or corporate buying programs, such as those through Apple do help automate the enrollment process. might also include primary location, hardware model, baseline IT image, and owner.

As the asset goes through the operations phase, changes can occur. Such changes could include introduction of new or unauthorized software, the removal of certain critical software, or the removal of the physical asset itself from the enterprise. These changes need to be tracked and recorded. As a consequence, asset monitoring, anomaly detection, reporting, and policy enforcement are the primary activities in this phase.

As a CCP you need to work with your clients to ensure assets get monitored using installed agents that reside on the asset, as well as network-based monitoring systems that scan and capture network traffic. These monitoring systems collect data from and about the assets and send periodic reports to the analytics engine. Each monitoring system sends reports with slightly differing emphasis on aspects of these enterprise assets. Reports are collected regarding installed and licensed software, vulnerabilities, anomalous traffic (i.e. traffic to new sites or drastic changes in the volume of traffic), and policy enforcement status.

As an asset reaches the end of its operational life, it goes through activities within the end-of-life phase that include returning the asset to IT support for data removal and removing the serial number from the registration database and other associated databases. Finally, the asset is prepared for physical removal from the enterprise facility.

Helping Companies with Asset Categorization

As a CCP you will need to work with your clients on identifying data low within their companies and understanding how this data flow impacts the five asset categories of a CMMC assessment.

You will want to work with clients to leverage their existing expertise and systems for inventory to help them automate IT asset management. Long term you want to help clients start to utilize reference architecture as a larger part of their risk based policy, plans and procedures.

Leave a comment

Your email address will not be published. Required fields are marked *