Executive Summary
This Asset Inventory & Categorization Report provides a comprehensive assessment of ACME Technology Services Corporation's IT assets in accordance with CMMC 2.0 Level 2 requirements and NIST SP 800-171 standards. The report categorizes all organizational assets into the five CMMC-defined categories: CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and Out-of-Scope Assets.
Organization Information
Company Details
Name: ACME Technology Services Corporation
Location: El Paso, Texas
Employees: 64
Primary Business: US Army uniform and textile services
CMMC Scope
Assessment Level: CMMC 2.0 Level 2
Information Types: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI)
Contract Authority:
IT Infrastructure
Main Facility: Office complex and warehouse
Network: Wireless and Ethernet connectivity
Cloud Services: Amazon cloud backup services
Remote Access: VPN with access controls
Key Personnel
Contract Coordinators: 3
Chief Information Security Officer: 1
IT Staff: 4
Office/Management Personnel: Variable access
Asset Category Legend
CUI Assets
Assets that process, store, or transmit Controlled Unclassified Information related to US Army contracts.
| Asset ID | Asset Name | Type | Location | CUI Data Types | Primary Users | Compliance Status | Actions |
|---|
Security Protection Assets
Assets that provide security functions and capabilities to protect CUI assets and the CMMC assessment scope.
| Asset ID | Asset Name | Type | Location | Security Function | Protected Assets | Compliance Status | Actions |
|---|
Contractor Risk Managed Assets
Assets that can, but are not intended to, process, store, or transmit CUI due to security policies and procedures.
| Asset ID | Asset Name | Type | Location | Risk Management Measures | Policy Controls | Compliance Status | Actions |
|---|
Specialized Assets
Assets with unique security requirements or limitations that may process CUI but cannot be fully secured.
| Asset ID | Asset Name | Type | Location | Specialization Reason | Risk Mitigation | Compliance Status | Actions |
|---|
Out-of-Scope Assets
Assets that cannot process, store, or transmit CUI and do not provide security protections for CUI assets.
| Asset ID | Asset Name | Type | Location | Usage | Separation Method | Actions |
|---|
Data Flow and Network Architecture
CUI Data Flow
Controlled Unclassified Information flows through the following path:
- Ingress: CUI enters via secure email, VPN file transfers from US Army contracting offices
- Processing: Contract coordinators access and modify CUI on designated workstations
- Storage: CUI is stored on the primary data server with encrypted backups to Azure cloud
- Transmission: CUI is transmitted via encrypted channels through VPN or secure email
- Access Control: All CUI access is logged and controlled through Active Directory authentication
Network Segmentation
The network is segmented into the following security zones:
- CUI Zone: Houses all CUI assets with restricted access
- Management Zone: Administrative systems with controlled CUI access
- DMZ: Firewall, VPN gateway, and external-facing services
- Guest Network: Isolated network for personal devices and visitors
- OT Network: Isolated operational technology for building systems
Compliance Assessment Summary
Assessment Status
Overall Status: Ready for Assessment
Documentation Complete: Yes
Asset Inventory: 100% Complete
Network Diagrams: Current and accurate
Risk Assessment
High Risk Assets: 0
Medium Risk Assets: 1
Low Risk Assets: 22
Mitigated Risks: All identified risks have mitigation plans
Security Controls
Access Controls: Implemented
Encryption: FIPS 140-2 validated
Logging & Monitoring: Centralized
Physical Security: Badge access implemented
Recommendations
Priority 1: Complete warehouse system security assessment
Priority 2: Update specialized asset documentation
Priority 3: Quarterly asset inventory reviews
Next Review: Quarterly