AST-02.11: Component Assignment

There is no evidence of a capability to bind components to a specific system.

C|P-CMM1 is N/A, since a structured process is required to bind components to a specific system.

C|P-CMM2 is N/A, since a well-defined process is required to bind components to a specific system.

Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

• An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
• An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
• Technology assets and data are categorized according to data classification and business criticality criteria.
• A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
• Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to bind components to a specific system.

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to bind components to a specific system.