Skip to main content

AST-03.2: Provenance

AST 8 — High Identify

Mechanisms exist to track the origin, development, ownership, location and changes to Technology Assets, Applications, Services and/or Data (TAASD).

Control Question: Does the organization track the origin, development, ownership, location and changes to Technology Assets, Applications, Services and/or Data (TAASD)?

General (12)
Framework Mapping Values
CIS CSC 8.1 16.5
IEC 62443-4-2 2019 CR 3.13 (7.15) EDR 3.12 (13.7.1)
ISO 27002 2022 5.21
ISO 42001 2023 A.7.5
MITRE ATT&CK 10 T1041, T1048, T1048.002, T1048.003, T1052, T1052.001, T1059.002, T1204.003, T1505, T1505.001, T1505.002, T1505.004, T1546.006, T1554, T1567, T1601, T1601.001, T1601.002
NIST 800-53 R5 (source) SR-4 SR-4(1) SR-4(2)
NIST 800-53 R5 (NOC) (source) SR-4 SR-4(1) SR-4(2)
NIST 800-161 R1 SR-4
NIST 800-161 R1 Level 2 SR-4
NIST 800-161 R1 Level 3 SR-4
SPARTA CM0026 CM0049
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) AST-03.2
US (2)
Framework Mapping Values
US DoD Zero Trust Reference Architecture 2.0 4.2
US DHS CISA SSDAF 3
APAC (1)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-1790 ISM-1791 ISM-1792

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to track the origin, development, ownership, location and changes to Technology Assets, Applications, Services and/or Data (TAASD).

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to track the origin, development, ownership, location and changes to Technology Assets, Applications, Services and/or Data (TAASD).

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to track the origin, development, ownership, location and changes to Technology Assets, Applications, Services and/or Data (TAASD).

Level 3 — Well Defined

Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
  • An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
  • Technology assets and data are categorized according to data classification and business criticality criteria.
  • A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
  • Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
  • ITAM tracks the origin, development, ownership, location and changes to a system, system components and associated data.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to track the origin, development, ownership, location and changes to Technology Assets, Applications, Services and/or Data (TAASD).

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to track the origin, development, ownership, location and changes to Technology Assets, Applications, Services and/or Data (TAASD).

Assessment Objectives

  1. AST-03.2_A01 systems, system components and associated data that require valid provenance are defined.
  2. AST-03.2_A02 valid provenance is documented for systems, system components and associated data.
  3. AST-03.2_A03 valid provenance is monitored for systems, system components and associated data.
  4. AST-03.2_A04 valid provenance is maintained for systems, system components and associated data.
  5. AST-03.2_A05 supply chain elements, processes and personnel associated with systems and critical system components that require unique identification are defined.
  6. AST-03.2_A06 unique identification of supply chain elements, processes and personnel is established.
  7. AST-03.2_A07 unique identification of supply chain elements, processes and personnel is maintained.
  8. AST-03.2_A08 systems and critical system components that require unique identification for tracking through the supply chain are defined.
  9. AST-03.2_A09 the unique identification of systems and critical system components is established for tracking through the supply chain.
  10. AST-03.2_A10 the unique identification of systems and critical system components is maintained for tracking through the supply chain.

Evidence Requirements

E-AST-22 Provenance

Documented evidence of that tracks the origin, development, ownership, location and changes to systems, system components and associated data.

Asset Management

Technology Recommendations

Micro/Small

  • IT Asset Management (ITAM) program
  • Configuration Management Database (CMDB)

Small

  • IT Asset Management (ITAM) program
  • Configuration Management Database (CMDB)

Medium

  • IT Asset Management (ITAM) program
  • Configuration Management Database (CMDB)

Large

  • IT Asset Management (ITAM) program
  • Configuration Management Database (CMDB)

Enterprise

  • IT Asset Management (ITAM) program
  • Configuration Management Database (CMDB)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free