Skip to main content

AST-04.1: Asset Scope Classification

AST 8 — High Identify

Mechanisms exist to determine cybersecurity and data protection control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all Technology Assets, Applications and/or Services (TAAS) and personnel (internal and third-parties).

Control Question: Does the organization determine cybersecurity and data protection control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all Technology Assets, Applications and/or Services (TAAS) and personnel (internal and third-parties)?

General (32)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC2.1-POF7 CC2.2-POF11 CC6.1-POF1
GovRAMP Low SA-05
GovRAMP Low+ SA-05
GovRAMP Moderate SA-05
GovRAMP High SA-05
IEC TR 60601-4-5 2021 4.1
ISO 27001 2022 (source) 4.3
ISO 27002 2022 5.12
ISO 42001 2023 4.3
NIST 800-53 R4 (high) PE-22 SA-5
NIST 800-53 R5 (source) PE-22 SA-5
NIST 800-53B R5 (low) (source) SA-5
NIST 800-53B R5 (moderate) (source) SA-5
NIST 800-53B R5 (high) (source) SA-5
NIST 800-53 R5 (NOC) (source) PE-22
NIST 800-82 R3 MODERATE OT Overlay PE-22
NIST 800-82 R3 HIGH OT Overlay PE-22
NIST 800-161 R1 SA-5
NIST 800-161 R1 C-SCRM Baseline SA-5
NIST 800-161 R1 Level 3 SA-5
NIST 800-171 R3 (source) 03.04.11.a 03.04.11.b
NIST 800-172 3.14.3e
NIST 800-207 NIST Tenet 1
NIST CSF 2.0 (source) ID.AM-05
PCI DSS 4.0.1 (source) A3.2.5
Shared Assessments SIG 2025 P.3.1
SPARTA CM001
TISAX ISA 6 1.2.3 1.2.4 8.2.4 8.2.6
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) AST-04.1
SCF CORE ESP Level 1 Foundational AST-04.1
SCF CORE ESP Level 2 Critical Infrastructure AST-04.1
SCF CORE ESP Level 3 Advanced Threats AST-04.1
US (5)
Framework Mapping Values
US CMMC 2.0 Level 3 (source) SI.L3-3.14.3E
US DHS ZTCF BAS-03
US IRS 1075 SA-5
US TSA / DHS 1580/82-2022-01 III.B.1.c
US - CA CCPA 2025 7123(c)(4)(A)
EMEA (3)
Framework Mapping Values
EMEA EU EBA GL/2019/04 3.3.3(17) 3.3.3(18)
EMEA EU NIS2 Annex 11.7.2 12.1.1 12.1.3
EMEA Germany Banking Supervisory Requirements for IT (BAIT) 12.4
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.04.11.A 03.04.11.B

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to determine cybersecurity and data protection control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all Technology Assets, Applications and/or Services (TAAS) and personnel (internal and third-parties).

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to determine cybersecurity and data protection control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all Technology Assets, Applications and/or Services (TAAS) and personnel (internal and third-parties).

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to determine cybersecurity and data protection control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all Technology Assets, Applications and/or Services (TAAS) and personnel (internal and third-parties).

Level 3 — Well Defined

Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
  • An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
  • Technology assets and data are categorized according to data classification and business criticality criteria.
  • A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
  • Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
  • Stakeholders performs perform annual scoping evaluations to determine cybersecurity and data protection control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all Technology Assets, Applications and/or Services (TAAS) and personnel (internal and third-parties).
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to determine cybersecurity and data protection control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all Technology Assets, Applications and/or Services (TAAS) and personnel (internal and third-parties).

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to determine cybersecurity and data protection control applicability by identifying, assigning and documenting the appropriate asset scope categorization for all Technology Assets, Applications and/or Services (TAAS) and personnel (internal and third-parties).

Assessment Objectives

  1. AST-04.1_A01 system hardware components to be marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component are defined.
  2. AST-04.1_A02 system hardware components are marked indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component.

Evidence Requirements

E-AST-02 Asset Scoping Guidance

Documented evidence of an asset scoping guidance. This is program-level documentation in the form of a runbook, playbook or a similar format provides guidance on defining in-scope systems, applications, services, processes and third-parties.

Asset Management
E-CPL-02 Defined Compliance Scope (DCS)

Documented evidence of a formal scoping document that identifies applicable statutory, regulatory and/or contractual obligations for the organization. Defines the affected Lines of Business (LOB), internal / external stakeholders and facilities for the specific scope of compliance obligations.

Compliance
E-DCH-01 Data Classification Scheme

Documented evidence of an organization-specific data classification scheme.

Data Protection
E-DCH-02 Data Handling Practices

Documented evidence of an organization-specific data handling practices (e.g., guidance specific the data classification scheme).

Data Protection

Technology Recommendations

Micro/Small

  • Unified Scoping Guide (https://unified-scoping-guide.com)

Small

  • Unified Scoping Guide (https://unified-scoping-guide.com)

Medium

  • Unified Scoping Guide (https://unified-scoping-guide.com)

Large

  • Unified Scoping Guide (https://unified-scoping-guide.com)

Enterprise

  • Unified Scoping Guide (https://unified-scoping-guide.com)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free