Back to Control Explorer



Control Acronym



Asset Management

CMMC Level


800-171 Control #


CMMC Description

Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.

CMMC Clarification

One purpose an organization might have in determining the component attributes is to identify and locate specific systems in the event a vulnerability is discovered in the hardware or software installed so patches can be rapidly deployed to these systems or have the systems isolated from the network. For small organizations or small enclaves, this might be achieved with manual processes. Automation is expected as scale increases in order to achieve results in an operational meaningful timeframe. Example 1 You are an IT administrator for your organization. You learn from the vendor about a privilege escalation vulnerability in version 9.3.201 of an application when running on macOS 10.14. Since you have this version of the application installed at your organization, you download the patch the vendor has released to correct this vulnerability. You run a report to identify all the macOS 10.14 systems with this version the software application installed. You schedule a job to install the patch the next time each of the systems on the report connects to the network. Example 2 You are on the cyber hunt team and find out there is a technique in the wild that adversaries are using against an IoT sensor that your organization has deployed. You check your system to identify how many of these sensors are currently connected to the network and their IP Addresses. You provide this information to the cyber operations team for increased monitoring until the vendor releases a patch.

800-171 Description

800-171 Discussion


Other Source Discussion

Organizations employ systems that can assess assets connected to the network in real time, or can create an inventory identifying system-specific information required for component accountability and to provide support to identify, control, monitor, and verify configuration items in accordance with the authoritative source. For user computing systems this should include: firmware level, OS type, drive type, network and wireless card vendors, monitor card type and vendor, and software applications installed on that system.

CIS Control References

CIS Controls v7.1 1.1, 1.2, 1.4, 1.5, 2.3, 2.4, 2.5

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 CM-8

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 ID.AM-1, ID.AM-2

CERT RMM Reference


Modification of NIST 800-171B Reference

CMMC modification of Draft NIST SP 800-171B 3.4.3e

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15