Skip to main content

AST-02: Asset Inventories

AST 10 — Critical Identify

Mechanisms exist to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that: (1) Accurately reflects the current TAASD in use; (2) Identifies authorized software products, including business justification details; (3) Is at the level of granularity deemed necessary for tracking and reporting; (4) Includes organization-defined information deemed necessary to achieve effective property accountability; and (5) Is available for review and audit by designated organizational personnel.

Control Question: Does the organization perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that: (1) Accurately reflects the current TAASD in use; (2) Identifies authorized software products, including business justification details; (3) Is at the level of granularity deemed necessary for tracking and reporting; (4) Includes organization-defined information deemed necessary to achieve effective property accountability; and (5) Is available for review and audit by designated organizational personnel?

General (61)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC2.1-POF6 CC2.1-POF9 CC6.1-POF1
CIS CSC 8.1 1 1.1 2 2.1 2.2 2.4 6.6
CIS CSC 8.1 IG1 1.1 2.1 2.2
CIS CSC 8.1 IG2 1.1 2.1 2.2 2.4 6.6
CIS CSC 8.1 IG3 1.1 2.1 2.2 2.4 6.6
COBIT 2019 BAI09.01
CSA CCM 4 DCS-05 DSP-03 STA-07 UEM-04
CSA IoT SCF 2 ASM-01 SNT-04
ENISA 2.0 SO15
GovRAMP Core CM-08
GovRAMP Low CM-08
GovRAMP Low+ CM-08
GovRAMP Moderate CM-08
GovRAMP High CM-08
IEC 62443-4-2 2019 CR 7.8 (11.10.1)
IMO Maritime Cyber Risk Management 3.5.2.2
ISO 27002 2022 5.9
ISO 27017 2015 8.1.1
MITRE ATT&CK 10 T1011.001, T1020.001, T1021.001, T1021.003, T1021.004, T1021.005, T1021.006, T1046, T1052, T1052.001, T1053, T1053.002, T1053.005, T1059, T1059.001, T1059.005, T1059.007, T1068, T1072, T1091, T1092, T1098.004, T1119, T1127, T1127.001, T1133, T1137, T1137.001, T1189, T1190, T1195.003, T1203, T1210, T1211, T1212, T1213, T1213.001, T1213.002, T1218, T1218.003, T1218.004, T1218.005, T1218.008, T1218.009, T1218.012, T1218.013, T1218.014, T1221, T1495, T1505, T1505.001, T1505.002, T1505.004, T1530, T1542, T1542.001, T1542.003, T1542.004, T1542.005, T1546.002, T1546.006, T1546.014, T1547.007, T1548, T1548.004, T1553, T1553.006, T1557, T1557.001, T1557.002, T1559, T1559.002, T1563, T1563.001, T1563.002, T1564.006, T1564.007, T1565, T1565.001, T1565.002, T1574, T1574.004, T1574.007, T1574.008, T1574.009, T1601, T1601.001, T1601.002, T1602, T1602.001, T1602.002
MPA Content Security Program 5.1 TS-5.0
NIST AI 100-1 (AI RMF) 1.0 GOVERN 1.6
NIST AI 600-1 GOVERN 1.6 GV-1.6-001 GV-1.6-002
NIST Privacy Framework 1.0 ID.IM-P1
NIST 800-37 R2 P-10
NIST 800-53 R4 CM-8 PM-5
NIST 800-53 R4 (low) CM-8
NIST 800-53 R4 (moderate) CM-8
NIST 800-53 R4 (high) CM-8
NIST 800-53 R5 (source) CM-8 PM-5
NIST 800-53B R5 (low) (source) CM-8
NIST 800-53B R5 (moderate) (source) CM-8
NIST 800-53B R5 (high) (source) CM-8
NIST 800-53 R5 (NOC) (source) PM-5
NIST 800-82 R3 LOW OT Overlay CM-8
NIST 800-82 R3 MODERATE OT Overlay CM-8
NIST 800-82 R3 HIGH OT Overlay CM-8
NIST 800-161 R1 CM-8 PM-5
NIST 800-161 R1 C-SCRM Baseline CM-8
NIST 800-161 R1 Flow Down CM-8 PM-5
NIST 800-161 R1 Level 2 CM-8 PM-5
NIST 800-161 R1 Level 3 CM-8 PM-5
NIST 800-171 R2 (source) 3.4.1
NIST 800-171A (source) 3.4.1[d] 3.4.1[e] 3.4.1[f]
NIST 800-171 R3 (source) 03.04.08.a 03.04.08.c 03.04.10.a 03.04.10.b 03.04.11.a
NIST 800-171A R3 (source) A.03.04.10.ODP[01] A.03.04.10.a A.03.04.10.b[01] A.03.04.10.b[02]
NIST 800-172 3.1.2e
NIST 800-207 NIST Tenet 1
NIST CSF 2.0 (source) ID.AM ID.AM-01 ID.AM-02
PCI DSS 4.0.1 (source) 6.3.2 9.5.1 9.5.1.1 11.2 11.2.2
PCI DSS 4.0.1 SAQ A-EP (source) 6.3.2
PCI DSS 4.0.1 SAQ B (source) 9.5.1 9.5.1.1
PCI DSS 4.0.1 SAQ B-IP (source) 9.5.1 9.5.1.1
PCI DSS 4.0.1 SAQ C (source) 9.5.1 9.5.1.1 11.2.2
PCI DSS 4.0.1 SAQ D Merchant (source) 6.3.2 9.5.1 9.5.1.1 11.2.2
PCI DSS 4.0.1 SAQ D Service Provider (source) 6.3.2 9.5.1 9.5.1.1 11.2.2
PCI DSS 4.0.1 SAQ P2PE (source) 9.5.1 9.5.1.1
SCF CORE Fundamentals AST-02
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) AST-02
SCF CORE ESP Level 1 Foundational AST-02
SCF CORE ESP Level 2 Critical Infrastructure AST-02
SCF CORE ESP Level 3 Advanced Threats AST-02
US (33)
Framework Mapping Values
US C2M2 2.1 ASSET-1.B.MIL2 ASSET-1.D.MIL2 ASSET-1.F.MIL3 ASSET-1.G.MIL3 ASSET-1.H.MIL3 ASSET-2.A.MIL1 ASSET-2.B.MIL2 ASSET-2.D.MIL2 ASSET-2.F.MIL3 ASSET-2.G.MIL3
US CERT RMM 1.2 ADM:SG1.SP1 TM:SG1.SP1
US CISA CPG 2022 1.A
US CMMC 2.0 Level 2 (source) CM.L2-3.4.1
US CMMC 2.0 Level 3 (source) AC.L3-3.1.2E CM.L2-3.4.1
US CMS MARS-E 2.0 CM-8 PM-5
US DoD Zero Trust Execution Roadmap 2.1 2.1.1 3.1 3.1.1
US DFARS Cybersecurity 252.204-70xx 252.204-7018(c)
US DHS CISA TIC 3.0 3.UNI.INVENT 3.PEP.DA.DINVE
US DHS ZTCF APP-01 SYS-03
US FedRAMP R4 CM-8
US FedRAMP R4 (low) CM-8
US FedRAMP R4 (moderate) CM-8
US FedRAMP R4 (high) CM-8
US FedRAMP R4 (LI-SaaS) CM-8
US FedRAMP R5 (source) CM-8
US FedRAMP R5 (low) (source) CM-8
US FedRAMP R5 (moderate) (source) CM-8
US FedRAMP R5 (high) (source) CM-8
US FedRAMP R5 (LI-SaaS) (source) CM-8
US FFIEC D1.G.IT.B.1 D4.RM.Dd.B.2 D4.C.Co.B.3
US HIPAA Administrative Simplification 2013 (source) 164.310(d)(2)(iii)
US HIPAA Security Rule / NIST SP 800-66 R2 (source) 164.310(d)(2)(iii)
US HIPAA HICP Small Practice 5.S.A
US HIPAA HICP Medium Practice 5.M.A 9.M.D
US HIPAA HICP Large Practice 5.M.A 9.M.D 2.L.E
US IRS 1075 CM-8 PM-5
US NERC CIP 2024 (source) CIP-011-3 1.1
US - CA CCPA 2025 7123(c)(4) 7123(c)(4)(B)
US - NY DFS 23 NYCRR500 2023 Amd 2 500.13(a) 500.13(a)(1) 500.13(a)(1)(i) 500.13(a)(1)(ii) 500.13(a)(1)(iii) 500.13(a)(1)(iv) 500.13(a)(1)(v) 500.13(a)(2)
US - TX DIR Control Standards 2.0 CM-8 PM-5
US - TX TX-RAMP Level 1 CM-8
US - TX TX-RAMP Level 2 CM-8
EMEA (15)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.5(53) 3.5(54)
EMEA EU DORA 8.4 8.6
EMEA EU NIS2 21.2(i)
EMEA EU NIS2 Annex 12.4.1 12.4.2 12.4.2(a) 12.4.2(b) 5.2(b)
EMEA Austria Sec 14 Sec 15
EMEA Belgium 16
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 8.2 12.2
EMEA Germany C5 2020 AM-01 AM-02
EMEA Saudi Arabia CSCC-1 2019 2-1-1-1
EMEA Saudi Arabia IoT CGIoT-1 2024 2-1-1
EMEA Saudi Arabia OTCC-1 2022 2-1 2-1-1 2-1-1-3
EMEA Spain CCN-STIC 825 7.3.1 [OP.EXP.1]
EMEA UAE NIAF 3.1.1
EMEA UK CAF 4.0 A3.a (point 1)
EMEA UK DEFSTAN 05-138 1301 2202 2310
APAC (7)
Framework Mapping Values
APAC Australia Essential 8 ML1-P1 ML1-P2 ML2-P1 ML2-P2 ML3-P1 ML3-P2
APAC Australia ISM June 2024 ISM-0336 ISM-1643 ISM-1807
APAC India SEBI CSCRF ID.AM.S1 ID.AM.S5 ID.AM.S6
APAC Japan ISMAP 8.1.1 8.1.1.6.PB
APAC New Zealand HISF 2022 HMS03
APAC New Zealand NZISM 3.6 8.4.8.C.01 8.4.9.C.01
APAC Singapore MAS TRM 2021 3.3.1(a) 3.3.2
Americas (4)
Framework Mapping Values
Americas Bermuda BMACCC 5.9
Americas Canada CSAG 3.1
Americas Canada OSFI B-13 2.2 2.2.2 2.2.3
Americas Canada ITSP-10-171 03.04.08.A 03.04.08.C 03.04.10.A 03.04.10.B 03.04.11.A

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to perform inventories of Technology Assets, Applications, Services and/or Data (TAASD) that: (1) Accurately reflects the current TAASD in use; (2) Identifies authorized software products, including business justification details; (3) Is at the level of granularity deemed necessary for tracking and reporting; (4) Includes organization-defined information deemed necessary to achieve effective property accountability; and (5) Is available for review and audit by designated organizational personnel.

Level 1 — Performed Informally

Asset Management (AST) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Asset management is informally assigned as an additional duty to existing IT/cybersecurity personnel.
  • Asset inventories are performed in an ad hoc manner.
  • Software licensing is tracked as part of IT asset inventories.
  • Data process owners maintain limited network diagrams to document the flow of sensitive/regulated data that is specific to their initiative.
  • IT personnel work with data/process owners to help ensure secure practices are implemented throughout the System Development Lifecycle (SDLC) for all high-value projects.
  • Inventories are manual (e.g., spreadsheets).
  • Assets are assigned owners and are documented.
  • No structured process exists to review or share the results of the inventories.
Level 2 — Planned & Tracked

Asset Management (AST) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Asset management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for asset management.
  • Administrative processes and technologies focus on protecting High Value Assets (HVAs), including environments where sensitive/regulated data is stored, transmitted and processed.
  • Asset management is formally assigned as an additional duty to existing IT/cybersecurity personnel.
  • Technology Assets, Applications, Services and/or Data (TAASD) are categorized according to data classification and business criticality.
  • Inventories cover Technology Assets, Applications, Services and/or Data (TAASD) in scope for statutory, regulatory and/ or contractual compliance, which includes both physical and virtual assets.
  • Software licensing is tracked as part of IT asset inventories.
  • Users are educated on their responsibilities to protect Technology Assets, Applications, Services and/or Data (TAASD) assigned to them or under their supervision.
  • IT/cybersecurity personnel maintain network diagrams to document the flow of sensitive/regulated data across the network.
  • Maintenance of asset inventory is performed at least annually.
  • Inventory of physical Technology Assets, Applications, Services and/or Data (TAASD) are assigned to individual users or teams and covers common devices (e.g., laptops, workstations and servers).
  • Inventories may be manual (e.g., spreadsheets) or automated.
  • No structured process exists to review or share the results of the inventories.
  • Annual IT asset inventories validate or update stakeholders /owners.
Level 3 — Well Defined

Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
  • An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
  • Technology Assets, Applications, Services and/or Data (TAASD) and data are categorized according to data classification and business criticality criteria.
  • A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
  • Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
  • Quarterly IT asset inventories are reviewed and shared with appropriate stakeholders.
  • Inventories are predominately automated, but may have some manual components (e.g., cloud-based assets that are out of scope for automated inventory scans).
  • Inventories processes include Indicators of Compromise (IoC) to identify evidence of physical tampering.
  • Inventory scans are configured to be recurring, based on ITAM tool configuration settings.
  • Annual IT asset inventories validate or update stakeholders / owners.
  • A Software Asset Management (SAM) solution is used to centrally manage deployed software.
  • An ITAM function, or similar function, conducts ongoing “technical debt” reviews of hardware and software technologies to remediate outdated and/ or unsupported technologies.
Level 4 — Quantitatively Controlled

Asset Management (AST) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement.

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

Asset Management (AST) efforts are “world-class” capabilities that leverage predictive analysis (e.g., machine learning, AI, etc.). In addition to CMM Level 4 criteria, CMM Level 5 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Stakeholders make time-sensitive decisions to support operational efficiency, which may include automated remediation actions.
  • Based on predictive analysis, process improvements are implemented according to “continuous improvement” practices that affect process changes.

Assessment Objectives

  1. AST-02_A01 a documented, up-to-date, complete, accurate and readily available inventory of systems and system components exists.
  2. AST-02_A02 the system inventory includes hardware, software, firmware and documentation.
  3. AST-02_A03 the inventory is maintained (reviewed / updated) throughout the system development life cycle.
  4. AST-02_A04 approved systems and system components are identified.
  5. AST-02_A05 information deemed necessary to achieve effective systems and system component accountability is defined.
  6. AST-02_A06 the frequency at which to update the inventory of systems and system components is defined.
  7. AST-02_A07 the inventory of systems and system components is updated per an organization-defined frequency.
  8. AST-02_A08 the frequency at which to review and update the system component inventory is defined.
  9. AST-02_A09 an inventory of system components is developed and documented.
  10. AST-02_A10 the system component inventory is reviewed <A.03.04.10.ODP[01]: frequency>.
  11. AST-02_A11 the system component inventory is updated <A.03.04.10.ODP[01]: frequency>.

Evidence Requirements

E-AST-04 Asset Inventories - Hardware

Documented evidence of an inventory of the organization's technology hardware assets.

Asset Management
E-AST-05 Asset Inventories - Software

Documented evidence of an inventory of the organization's software assets.

Asset Management
E-AST-07 Cyber-Physical Systems (CPS)

Documented evidence of an inventory of the organization's physical assets that process functions based on software and networks.

Asset Management

Technology Recommendations

Micro/Small

  • IT Asset Management (ITAM) program
  • Configuration Management Database (CMDB)
  • ManageEngine AssetExplorer (https://manageengine.com)
  • JAMF (https://jamf.com)

Small

  • IT Asset Management (ITAM) program
  • Configuration Management Database (CMDB)
  • ManageEngine AssetExplorer (https://manageengine.com)
  • JAMF (https://jamf.com)

Medium

  • IT Asset Management (ITAM) program
  • Configuration Management Database (CMDB)
  • ManageEngine AssetExplorer (https://manageengine.com)
  • Ivanti (https://ivanti.com)
  • ServiceNow (https://servicenow.com)
  • Solarwinds (https://solarwinds.com)
  • JAMF (https://jamf.com)

Large

  • IT Asset Management (ITAM) program
  • Configuration Management Database (CMDB)
  • ManageEngine AssetExplorer (https://manageengine.com)
  • Ivanti (https://ivanti.com)
  • ServiceNow (https://servicenow.com)
  • Solarwinds (https://solarwinds.com)
  • JAMF (https://jamf.com)

Enterprise

  • IT Asset Management (ITAM) program
  • Configuration Management Database (CMDB)
  • ManageEngine AssetExplorer (https://manageengine.com)
  • Ivanti (https://ivanti.com)
  • ServiceNow (https://servicenow.com)
  • Solarwinds (https://solarwinds.com)
  • JAMF (https://jamf.com)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free