Purpose

The purpose of the document is to cover moderate level of CMMC compliance automation capturing the asset management area of the boundary.


Prerequisite

Content outlined in the CMMC Solution - Basic Automation Use Case must be completed before you can work on items outlined in this article. This article focuses on the standalone Asset Management module; however, we do not recommend that you implement this without completing the set up within the Compliance Module for proper integration between the two modules.


Relevant Platform Modules and Features

  • Ignyte Compliance Management Module (Basic Automation)
  • Ignyte Asset Management Module (Moderate Automation)
    • Customer-supplied CMDB (if available) - for integration with the Platform, or 
    • Customer-supplied inventory, in any format, that can be easily converted to CSV, XLS, or XLSX


Customer Information Required to Automate

  • Hardware & Software Inventory
    • Security Boundary also known as your Authorization Boundary
      • Asset Inventory categorized within your boundary


Moderate Automation Steps

  1. Validate Asset Management Module Access
  2. Define Asset Fields & Types - DoD/CMMC PMO has not released the official templates, please reach out to your Service Delivery rep for template assistance
  3. Building an Asset Inventory
    1. Scanners
    2. API
    3. Uploading your Asset Manually
  4. Linking Assets to a Compliance System
  5. Linking Assets to a Control Requirement
  6. Attaching Artifacts and Creating Relationships


1. Validate access to the Asset Management Module

Ensure you are licensed for the Asset Management & Automation module by inspecting the top menu for the "Assets" menu and the Compliance System menu for the "Assets". If you see the top menu item but don't see it in the Compliance System menu, navigate to the Options | Edit System | Advanced Configuration menu and toggle the "Asset" option under Custom Settings to the on position. 


If you don't see any of the "Asset" menus mentioned above, please submit a ticket in the support desk or reach out to your Service Delivery Rep to discuss options to add the Asset Management module to your instance.


2. Define Asset Fields & Types 

Asset Fields & Types allow you to configure your data model according to your asset inventory schema. For CMMC, you'll need to think about the following types of assets:

  • Contractor Risk Managed Assets
  • Controlled Unclassified Information (CUI) Assets
  • Federal Contract Information (FCI) Assets
  • Out-of-Scope Assets
  • Security Protection Assets
  • Specialized Assets

You can also contact an Ignyte team-member to help configure the schema according to Hardware and Software inventory for your boundary. Furthermore, you may leverage this capability to classify your CUI data type as "Data" that can be considered an organizational asset. For more information see the Asset Management | Asset Types & Fields article.


3. Building an Asset Inventory

Ignyte supports several methods of gathering data from external systems by using Scanners, by using an API, or by manually importing data that is exported to Excel or CSV format.


a. Scanners

Ignyte currently supports custom built scanners for runZero (fka Rumble). You can find this under Settings | Asset Management within the Scanner Configuration area. Contact Ignyte if you are leveraging a different solution for your CMDB.


b. Ignyte's Asset API

Ignyte leverages OpenAPI as its specification for writing API calls and documentation. User must generate an external API key for the asset management mode from the Settings | Asset Management within the External API Configuration area. 


c. Uploading your Asset Manually:

Ignyte also provides the capability to upload your assets manually into the Platform. Please see Building an Asset Inventory article for instructions on manually uploading data. There is a companion video available as well within the Asset Management Overview article.


4. Linking Assets to a Compliance System

To link assets to specific requirements within the system, you must first associate the assets you need to a system. To get a better understanding on how to do this, take a look at the Asset Module | Linking Assets to a Compliance System article.


5. Linking Assets to a Control Requirement

Once you've associated assets to your system, you'll want to link the appropriate assets to the systems control requirement. The Asset Module | Linking Assets to a Control Requirement article provides the instructions on how to accomplish this task. 


6. Attaching Artifacts and Creating Relationships

Attaching artifacts (such as a diagram) and creating relationships adds another layer of detail to your Compliance System that will help define your assets and build understanding of the interconnection of your assets and how they work together to support your business and your compliance efforts. Information on how to do this can be found in the Asset Module | Attaching Artifacts and Creating Relationships article.