On the Center for Internet Security (CIS) Critical Security Controls list, asset management is at the top. It’s foundational to any cybersecurity program, especially a robust posture like what NIST 800-171 mandates to protect controlled unclassified information (CUI). If you don’t know what assets you have, how can you protect them or the data associated with them?
But for SMBs in the US defense industrial base (DIB), asset management is near the top of the list of problems and causes of confusion. Given the wide choice of asset management tools at all price points, why are DIB orgs stumbling over the NIST 800-171 asset management controls?
To unpack the top issues that defense suppliers currently facing with cyber compliance, a recent episode of The Virtual CISO Podcast features CMMC experts Kyle Lai, founder and CISO at KLC Consulting, and Caleb Leidy, CUI Protection and CMMC Consultant at Pivot Point Security. Hosting the show as always is John Verry, Pivot Point Security CISO and Managing Partner.
Security must start somewhere
As Kyle points out, one reason DIB SMBs are behind the 8-ball on asset management is their overall lack of security experience and maturity.
“How long have they paid attention to IT security?” posits Kyle. “Because in the manufacturing sector, a lot of [DIB orgs] are not too big. If they are 50-, 100- or even 500-person companies, sometimes they don’t have good asset management. Or if they do, they probably have a manual process. And when you have anything over, like, 20 or 50 assets, it’s not possible to document everything manually and keep it up to date.”
OT equipment is harder to inventory and manage
Another asset management challenge for SMB manufacturers is their operational technology (OT) assets, like CNC machines, PLC systems, specialized test equipment, etc. Then there are the IT systems that interface with these OT systems.
Managing all that specialized hardware and software without automation to support discovery and track status is next to hopeless. This is why investing in asset management tools is essentially mandatory for CMMC compliance. On the upside, with an asset management solution in place you can generate a list of workstations, servers and associated software on demand, anytime.
Even running a basic vulnerability scan once a month could give you a “current asset list” for compliance purposes, as John notes.
Start with IT
For SMB manufacturers in the DIB, an asset management “good practice” is to start with IT systems and then move on to OT systems and Internet of Things (IoT) devices like sensors and “smart” cameras, etc. These latter assets are more complex to inventory and manage, often because the software that’s helping you has an IT bias.
The good news is, as a manufacturer you probably know what OT you have because that’s what drives your business forward.
“Everyone sees that [CMMC] asset management is all about managing your asset categories from the scoping guide,” says Caleb. “But when you get to OT asset management, if you’re a manufacturer, that’s the entirety of your business. Your whole living is based on how those systems are working.”
Caleb continues: “I bet they’ve got a pretty good hold on their equipment and whether it’s functioning properly and their inventories and all of that. From a DIBCAC perspective, seeing the assessments of OT systems in real life, it was typically more a matter of, ‘These are the systems that we have.’ And not as much about a full inventory as it would be for the IT stuff.”
So, while smaller DIB manufacturers aren’t by any means off the hook for asset management, they don’t necessarily need a sophisticated, automated approach to every aspect of the process across all their asset types.
To listen to the full podcast episode with Caleb and Kyle, Click here.
Want a quick overview of the CMMC asset management domain and controls? Here’s a blog post on the topic: CMMC Asset Management Domain: Here are the Essentials