Inventory matters. As Sarah Spencer CEO of SolonTek notes, “You cannot protect what you cannot see.”
Now, some people read the CMMC assessment guide for Level One and think, “Huh no inventory needed?”
This is not true. You may not need to show your inventory results or policies for Level One compliance, but you will not be Level One compliant without good inventory policy.
Think about assessment objective f of Access Control 1.001, “[f] system access is limited to authorized devices (including other systems).” You will need to inventory your systems to comply with this objective.
What about CUI? If you read NIST-SP800-18 on writing a System Security Plan, you quickly realize you need to inventory all of your 7012 contracts and the data owner for each one.
Vincent Scott and I developed a quick table of “some” of the areas hit by good inventory. The word “identified” happens a ton in the CMMC assessment guides. You have to decide if this also means counting. This list will continue to grow, so if you think we missed something, please let us know.
Comment on LinkedIn or better yet get a blog and send me a webmention.
|CMMC Level||Domain||Number||Definition||Assessment Objective||NIST 171|
|1||Access Control||AC.1.001||Limit information system access to authorized users, processes acting on behalf of authorized users, or devices||[c] devices (and other systems) authorized to connect to the system are identified;||3.1.1|
|1||Access Control||AC.1.001||Limit information system access to authorized users, processes acting on behalf of authorized users, or devices||[f] system access is limited to authorized devices (including other systems).||3.1.1|
|2||Access Control||AC.2.006||Limit use of portable storage devices on external systems||[a] the use of portable storage devices containing CUI on external systems is identified and documented;||3.1.21|
|2||Access Control||AC.2.011||Authorize wireless access prior to allowing such connections||[a] wireless access points are identified;||3.1.16|
|2||Access Control||AC.2.015||Route remote access via managed access control points||[a] managed access control points are identified and implemented;||3.1.14|
|2||Access Control||AC.2.016||Control the flow of CUI in accordance with approved authorizations||[c] designated sources and destinations (e.g., networks, individuals, and devices) for CUI within the system and between interconnected systems are identified;||3.1.3|
|3||Access Control||AC.3.020||Control connection of mobile devices||[a] mobile devices that process, store, or transmit CUI are identified;||3.1.18|
|3||Access Control||AC.3.022||Encrypt CUI on mobile devices and mobile computing platforms||[a] mobile devices and mobile computing platforms that process, store, or transmit CUI are identified;||3.1.19|
|2||Configuration Management||CM.2.061||Establish and maintain baseline configurations and inventories of organizational systems throughout the respective system development life cycles||[e] the system inventory includes hardware, software, firmware, and documentation; and||3.4.1|
|1||Identification and Authentication||IA.1.076||Identify information system users, processes acting on behalf of users, or devices||[c] devices accessing the system are identified.||3.5.1|
|1||Identification and Authentication||IA.1.077||Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems||[c] the identity of each device accessing or connecting to the system is authenticated or verified as a prerequisite to system access.||3.5.2|
|3||Media Protection||MP.3.123||Prohibit the use of portable storage devices when such devices have no identifiable owner||[a] the use of portable storage devices is prohibited when such devices have no identifiable owner.||3.8.8|
|1||Physical Protection||PE.1.134||Control and manage physical access devices||[a] physical access devices are identified;||3.10.5|
|2||System and Communications Protections||SC.2.178||Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device||[a] collaborative computing devices are identified;||3.13.12|
|2||System and Communications Protections||SC.2.179||Use encrypted sessions for the management of network devices||[a] the organization has one or more policies and/or procedures for establishing connections to manage network devices;||N/A|
|1||System and Informational Integrity||SI.1.211||Provide protection from malicious code at appropriate locations within organizational information systems||[a] designated locations for malicious code protection are identified;||3.14.2|