The Cybersecurity Maturity Model Certification (CMMC) guidance groups security best practices and technical controls into 17 domains. Each domain is made up of capabilities, processes and practices that relate to the CMMC’s five maturity levels.
CMMC’s Asset Management (AM) domain has two very important practices, one within CMMC levels 3 and 4, respectively. This might not seem like much, but these compliance requirements will significantly impact many companies.
What does the CMMC asset management domain include?
Asset management is the ability to detect, classify, inventory and track/log all the hardware and associated services, software and other technology that stores, processes, or transmits Controlled Unclassified Information (CUI). These two practices have direct traceability to NIST 800-53r4, CM-8 at the Level 4, and at Level 3, an indirect alignment to RA-2 security controls. They invite organizations to establish and resource controls to categorize, protect, dispose, backed up controlled data in order to better respond system vulnerabilities, regardless of its hosting environment (physical and/or logical, on-prem and/or cloud-based).
The identification, documentation, and management of covered assets are foundational elements of other key IT management capabilities that impact security, especially configuration management, and incident response.
What are the CMMC asset management domain capabilities?
The CMMC asset management domain has two capabilities:
- C005: Identify and document assets
This critical capability covers procedures for handling CUI.
- C006: Manage asset inventory
This capability focuses on discovering assets and identifying their attributes; e.g., operating system, firmware level and/or version number.
What are the CMMC asset management practices?
Capability C005 includes the practice AM.3.036, Define procedures for the handling of CUI data. According to CMMC Version 1.02, this practice covers both digital and physical data, and encompasses procedures like how to categorize data as CUI, how to control access to CUI, and how to receive, transmit, store, back up, and destroy CUI. Precursors to implementing this practice include defining the different classifications of data your business works with (e.g., CUI, CUI//CTI, CUI//NOFORN, CUI//CVI, etc.), as well as defining procedures for handling (process, store, transmit) or safeguarding limitation (release, distribution, disclosure) of each data type.
Capability C006 includes the lone practice AM.4.226, Employ a capability to [automatically] discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory. The point of this control is to enable your organization with the ability to locate vulnerabilities and rapidly deploy the required patches, otherwise isolate the systems until related vulnerabilities are remedied. This control is also essential for detecting new assets on your network. If you need to compaly with this practice, at CMMC Level 3 or Level 4, you’ll need to create a policy specifying how to identify and document (L3), and maintain this inventory (L4), including all the places where you need to gather inventory data and how you’ll measure the inventory’s effectiveness.
Asset management controls are essential for proactively protecting CUI. That is why they come into play at CMMC Level 3 and above, as this is the minimum maturity level required to handle CUI.
A large marketplace of third-party tools is available to help with different aspects of asset management. However, it can be a challenge to decipher the required process/procedures or the correct tool or service that will suffice to achieve CMMC compliance. These are a few of the reasons PPS has invested in RP training, and soon CP and CA training for our Consultants, to aid in the successful implementation of the expected CMMC Level (or something less cheese than this).
If you have questions about how your business can best meet asset management or other CMMC practices and processes, contact Pivot Point Security to start a conversation with a CMMC expert.