- Use this tool to build a complete CMMC Asset Inventory & Categorization Report for your assigned case study company.
- Start with Organization Information — click Edit Organization to enter company details.
- Add assets to each of the five CMMC categories using the Add Asset buttons in each section.
- Complete the Data Flow, Network Segmentation, and Compliance Assessment narrative fields.
- Use Save Progress to store your work locally, or Export to download a file.
- When finished, use Print / PDF to submit your report — toolbar and instructions will be hidden.
Executive Summary
This Asset Inventory & Categorization Report provides a comprehensive assessment of [Organization Name]'s IT assets in accordance with CMMC 2.0 Level 2 requirements and NIST SP 800-171 standards. The report categorizes all organizational assets into the five CMMC-defined categories: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets.
Organization Information
Company Details
Name: [Not entered]
Location: [Not entered]
Employees: [Not entered]
Primary Business: [Not entered]
CMMC Scope
Assessment Level: [Not entered]
Information Types: [Not entered]
Contract Authority:
IT Infrastructure
Main Facility: [Not entered]
Network: [Not entered]
Cloud Services: [Not entered]
Remote Access: [Not entered]
Key Personnel
Contract Coordinators: [Not entered]
CISO: [Not entered]
IT Staff: [Not entered]
Office / Mgmt Personnel: [Not entered]
Asset Category Legend
CUI Assets
Assets that process, store, or transmit Controlled Unclassified Information. These are in scope and must meet all CMMC Level 2 / NIST SP 800-171 requirements.
| Asset ID | Asset Name | Type | Location | CUI Data Types | Primary Users | Compliance Status | Actions |
|---|---|---|---|---|---|---|---|
| No CUI assets added yet — click "Add CUI Asset" to begin. | |||||||
Security Protection Assets
Assets that provide security functions and capabilities to protect CUI assets and the CMMC assessment scope.
| Asset ID | Asset Name | Type | Location | Security Function | Protected Assets | Compliance Status | Actions |
|---|---|---|---|---|---|---|---|
| No Security Protection assets added yet — click the button above. | |||||||
Contractor Risk Managed Assets
Assets that can, but are not intended to, process, store, or transmit CUI due to security policies and procedures. Managed through contractor controls.
| Asset ID | Asset Name | Type | Location | Risk Management Measures | Policy Controls | Compliance Status | Actions |
|---|---|---|---|---|---|---|---|
| No Contractor Risk Managed assets added yet. | |||||||
Specialized Assets
Assets with unique security requirements or limitations that may process CUI but cannot be fully secured (e.g., IoT devices, legacy systems, operational technology).
| Asset ID | Asset Name | Type | Location | Specialization Reason | Risk Mitigation | Compliance Status | Actions |
|---|---|---|---|---|---|---|---|
| No Specialized assets added yet. | |||||||
Out-of-Scope Assets
Assets that cannot process, store, or transmit CUI and do not provide security protections for CUI assets. Must be demonstrably separated.
| Asset ID | Asset Name | Type | Location | Usage | Separation Method | Actions |
|---|---|---|---|---|---|---|
| No Out-of-Scope assets added yet. | ||||||
Data Flow and Network Architecture
CUI Data Flow
Describe how Controlled Unclassified Information enters, moves through, and exits your organization's systems (ingress → processing → storage → transmission → access control):
Network Segmentation
Describe the network zones used to protect CUI and separate out-of-scope assets: