CMMC 2.0: Questions to Ask When Identifying Assets

CMMC 2.0: Questions to Ask When Identifying Assets

What’s New in CMMC | Column 5

“What’s New in CMMC” is a regular column from MxD explaining aspects of the CMMC 2.0 framework.


Manufacturers preparing for Cybersecurity Maturity Model Certification (CMMC) 2.0 compliance have lengthy to-do lists to shore up their cybersecurity.

High on those lists should be identifying and logging the assets, or tools, that come into contact with Department of Defense federal contract information (FCI) and controlled unclassified information (CUI), said Laura Élan, MxD’s senior director of cybersecurity.

Such assets, she said, are attractive targets for cybercriminals.

If they are compromised, information that an organization must keep confidential (in the case of federal contract data) or wants to keep confidential can be exposed.

A logical first step when working on cybersecurity best practices ahead of CMMC 2.0  implementation is figuring out how defense contract information reaches an organization and where it is handled.

“Once a company has scoped where FCI and CUI reside, it should create a perimeter and turn its attention to identifying the assets inside that perimeter,” Élan said.

To do that, she said, manufacturers should make a detailed list of assets, such as file servers, computers, and printers. Then they should catalog equipment attributes — such as whether they are wired or wireless — and note all touchpoints and interfaces.

Questions to ask when creating such a list include:

  • How many computers are in the perimeter and what operating systems are used?
  • Do workers use laptops that can be taken out of the perimeter?
  • Which data flows between computers?
  • Where is each file server? Are servers inside the building or in the cloud?
  • Where are the cloud connections? (And don’t forget that the cloud must be cyber secure. A report released in June found that more than half of organizations reported experiencing a cyberattack on their cloud infrastructure within the last year.)
  • Where are printers? Are they in a locked room? Or are they easily accessible to anyone in the perimeter?
  • What are the different types of software and firmware being used?

An easy way to look at it, Élan said, is to imagine that a company is a house with a pet. Initial scoping steps are like outlining the rooms in the house where the pet is allowed. Identifying assets is like looking at items in those rooms to determine what can harm the pet or what it can harm. Characterizing the assets determines whether the item can be removed or protected, and supports the best type of protection for that item.

As defense contractors work on shoring up their cybersecurity ahead of CMMC 2.0’s implementation, the Department of Defense is also at work.

Officials earlier said that rule-making for the framework could take until late 2023. But according to recent news reports, the CMMC 2.0 rule is now expected to be released in May 2023, with CMMC 2.0 requirements possibly showing up in Pentagon contracts as soon as next summer.

Tabletop exercises to test this latest CMMC iteration and get feedback are to take place this summer, according to those reports.


MxD’s new Playbook for CMMC 2.0 Level 1 includes additional tips that can help prevent insider threats, such as ways to lock down a company network by limiting access to ports or using subnetworks to keep visitors off of the main company systems.

What’s New in CMMC Series:

Article #1: CMMC 2.0 Cybersecurity Framework: What to Expect
Article #2: CMMC 2.0: Why Manufacturers Should Get Started Now
Article #3: CMMC 2.0: Start With Scoping
Article #4: CMMC 2.0: The High Cost of Skipping Cyber Certification