CMMC Asset Management Domain: Here are the Essentials

The Cybersecurity Maturity Model Certification (CMMC) guidance groups security best practices and technical controls into 17 domains. Each domain is made up of capabilities, processes and practices that relate to the CMMC’s five maturity levels.

CMMC’s Asset Management (AM) domain has two very important practices, one within CMMC levels 3 and 4, respectively. This might not seem like much, but these compliance requirements will significantly impact many companies.

What does the CMMC asset management domain include?

The identification, documentation, and management of covered assets are foundational elements of other key IT management capabilities that impact security, especially configuration management, and incident response.

What are the CMMC asset management domain capabilities?

  1. C005: Identify and document assets
    This critical capability covers procedures for handling CUI.
  2. C006: Manage asset inventory
    This capability focuses on discovering assets and identifying their attributes; e.g., operating system, firmware level and/or version number.

What are the CMMC asset management practices?

Capability C006 includes the lone practice AM.4.226, Employ a capability to [automatically] discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory. The point of this control is to enable your organization with the ability to locate vulnerabilities and rapidly deploy the required patches, otherwise isolate the systems until related vulnerabilities are remedied. This control is also essential for detecting new assets on your network. If you need to compaly with this practice, at CMMC Level 3 or Level 4, you’ll need to create a policy specifying how to identify and document (L3), and maintain this inventory (L4), including all the places where you need to gather inventory data and how you’ll measure the inventory’s effectiveness.

What’s next?

A large marketplace of third-party tools is available to help with different aspects of asset management. However, it can be a challenge to decipher the required process/procedures or the correct tool or service that will suffice to achieve CMMC compliance. These are a few of the reasons PPS has invested in RP training, and soon CP and CA training for our Consultants, to aid in the successful implementation of the expected CMMC Level (or something less cheese than this).

If you have questions about how your business can best meet asset management or other CMMC practices and processes, contact Pivot Point Security to start a conversation with a CMMC expert.

We are a trusted source of simple, practical, and actionable information security guidance.