ASSET MANAGEMENT AND INVENTORY STANDARD

Authoritative Inventory · Asset Classes · Ownership · Classification · Lifecycle · End-of-Life

Table of Contents

1. Purpose and Scope
2. Principles
3. Asset Classes
4. The Authoritative Inventory
5. Required Attributes
6. Asset Ownership
7. Asset Criticality and Classification
8. The Asset Lifecycle
9. End-of-Life and Secure Disposal
10. Inventory Accuracy and Reconciliation
11. Roles and Responsibilities
12. Regulatory and Framework Alignment Summary
13. Document Control

1. Purpose and Scope

Every other control in CERG assumes the program knows what it is protecting. Exposure management scans an asset list. Access management governs access to systems. The control baseline maps evidence to assets. Logging collects from sources. Each of those depends on an authoritative answer to a deceptively simple question: what do we have? Until this standard, CERG had no document that owned that question.

This standard establishes the requirement for an authoritative asset inventory: the asset classes that must be tracked, the inventory itself, the attributes every asset record carries, how ownership is assigned, how assets are classified by criticality, and how assets move through a lifecycle from acquisition to secure disposal.

It applies to every in-scope asset across every environment: owned hardware, cloud and hybrid infrastructure, SaaS, operational technology, and the data assets the rest of the estate exists to serve.

You Cannot Protect, Detect, or Recover What You Have Not Named

An unknown asset is an uncontrolled asset. It is not patched, because exposure management does not know it exists. Its access is not reviewed, because access management has no record of it. It is not backed up, monitored, or hardened. Asset management is not paperwork; it is the precondition for every other thing CERG does. This is why NIST CSF places asset management first, in the IDENTIFY function, and why CIS makes it Control 1.

2. Principles

1. One authoritative inventory. There is exactly one authoritative source for each asset class. Spreadsheets maintained in parallel are not the inventory. Where multiple tools hold asset data, one is named authoritative and the others reconcile to it.
2. Every asset has exactly one owner. Ambiguous ownership is the root cause CERG exists to remove. An asset with no owner, or two owners, is a finding.
3. The inventory is current, not annual. An inventory that is accurate once a year is inaccurate the other 364 days. The inventory updates as assets change, driven by automation wherever possible.
4. Discovery is continuous. The program actively looks for assets it does not know about. An inventory built only from what teams choose to register will always be incomplete.
5. Classification drives treatment. An asset’s criticality and data classification determine the controls applied to it. Asset management produces the classification; the other standards consume it.
6. Disposal is part of the lifecycle. An asset is tracked until it is securely disposed of, not until it stops being interesting. Forgotten assets at end-of-life are a common breach path.

3. Asset Classes

CERG tracks five asset classes. Each has a named authoritative inventory.

3.1 Ephemeral Asset Pattern

Containers, serverless functions (AWS Lambda, Azure Functions, GCP Cloud Functions), CI/CD pipeline runners, auto-scaling groups, and dynamically provisioned cloud resources do not have stable instance identities or persistent owners. The persistent-instance model in §3 does not apply; the following pattern governs instead.

Ephemeral ≠ Unmanaged. Ephemeral assets are not exempt from inventory, ownership, scanning, or evidence. The method changes; the requirement does not. A container that runs for 60 seconds without an owner, without a scan, and without a baseline is as uncontrolled as a physical server racked without a ticket.

OT Assets Are In Scope and Need Care

Operational technology assets are tracked like every other asset, but discovery against OT is constrained: active scanning can disrupt control systems. OT asset discovery uses passive and OT-safe methods per CERG-STD-OT-001. The requirement to inventory OT assets is identical to any other class. The method of discovery is not. For NERC-CIP entities, the OT hardware inventory is also the basis of BES Cyber System identification under CIP-002.

4. The Authoritative Inventory

1. Each asset class has one named authoritative inventory. The authoritative inventory for each class is recorded, with its owner, in the organization profile or an organization-specific appendix to this standard.
2. The inventory is a system, not a document. For any estate beyond the smallest, the inventory is a tooled system fed by automated discovery, not a hand-maintained file. A five-person team may start with a structured file; it migrates to tooling as the estate grows.
3. Inventories interconnect. A software record references the hardware or cloud asset it runs on. A data asset references the system that hosts it. An identity references what it can access. The inventory is a graph, not five disconnected lists.
4. The inventory feeds the program. The inventory is the source list for exposure management scanning, the access-review population, the logging source catalog, and the control-baseline evidence mapping. Those consumers reconcile to the inventory; they do not maintain their own.

5. Required Attributes

Every asset record, regardless of class, carries the following attributes at minimum. An asset record missing a required attribute is incomplete and is a reconciliation finding.

Regulated scopes carry additional attributes: NERC-CIP assets carry their BES Cyber System categorization; CUI assets carry their CUI category. Those overlays are defined in the relevant operational package.

6. Asset Ownership

1. Every asset has exactly one owner. The owner is a named role accountable for the asset’s security posture, its classification, and decisions about its lifecycle. The owner is not necessarily the person who operates it.
2. Ownership is assigned at acquisition. An asset does not enter the estate without an owner. The acquisition step of the lifecycle (Section 8) does not complete until ownership is recorded.
3. Ownership is reassigned, never dropped. When an owner leaves a role, the asset’s ownership transfers to a named successor. An asset whose owner has left and has no successor is an orphaned asset and is a finding.
4. The custodian is distinct from the owner. A cloud platform team may operate a server an application team owns. The inventory records both. The owner decides; the custodian runs.

An Orphaned Asset Is How Programs Get Breached

The asset no one owns is the asset no one patches, no one reviews, and no one decommissions. It runs an unsupported operating system for three years because removing it is no one’s job. Orphaned assets are found in nearly every significant breach retrospective. CERG treats an asset with no current owner as an open finding, tracked in the risk register until ownership is restored.

7. Asset Criticality and Classification

7.1 Criticality Tiers

Every asset is assigned a criticality tier. Criticality reflects the business and safety impact if the asset is compromised or unavailable.

7.2 Data Classification

Every asset carries the classification of the highest-classified data it stores or processes. The classification scheme itself is owned by CERG-STD-DG-001. Assets in CUI scope also carry the CUI handling attributes required by CERG-STD-CUI-001.

7.3 What Classification Drives

The criticality tier and data classification of an asset determine, at minimum: its exposure remediation SLA under CERG-PRC-VM-001, its access-review frequency under CERG-STD-AC-001, its logging requirements under CERG-STD-LM-001, and its backup and recovery objectives under CERG-STD-RES-001. Asset management produces the classification once; every other standard consumes it.

8. The Asset Lifecycle

Every asset moves through a defined lifecycle. The inventory records the asset’s current state.

An asset record is never deleted. A disposed asset is marked Disposed and retained, so the inventory carries a complete history for audit.

9. End-of-Life and Secure Disposal

1. End-of-life is planned, not discovered. An asset approaching the end of vendor support is identified before support ends, and a replacement or extended-support decision is made deliberately. An asset running past end-of-support with no decision recorded is a finding and a risk register entry.
2. Data is removed before disposal. Before an asset leaves the estate, data on it is securely sanitized to a standard appropriate to the data’s classification. Cryptographic erasure per CERG-STD-CR-001 is acceptable where keys can be destroyed; physical destruction is used where it cannot.
3. Access and identity are revoked. Decommissioning includes revoking the asset’s own credentials and any access granted to it, per CERG-STD-AC-001.
4. Disposal is evidenced. Secure disposal produces a record: what asset, what sanitization method, when, and by whom. The record is retained as control evidence. For regulated assets, the disposal record is part of the regulatory evidence set.
5. Cloud and SaaS disposal counts. Decommissioning a cloud resource or terminating a SaaS tenant is disposal. Data deletion, key destruction, and confirmation of tenant closure are required exactly as for physical hardware.

10. Inventory Accuracy and Reconciliation

An inventory is only as useful as it is accurate. Accuracy is maintained, not assumed.

1. Continuous discovery runs against every environment. Automated discovery identifies assets and compares them to the inventory. An asset found by discovery but absent from the inventory is an unmanaged asset and is investigated.
2. Reconciliation runs on a defined cadence. The inventory is reconciled against discovery output, against the consuming systems (vulnerability scanner, access platform, logging catalog), and against procurement records. Discrepancies are findings.
3. An unmanaged asset is contained. An asset discovered outside the inventory is either brought under management (owner assigned, baseline applied, record created) or removed from the estate. It is not left in an unknown state.
4. Inventory completeness is a reported metric. The percentage of the estate under management, and the count of unmanaged assets found, are reported per CERG-GOV-MTR-001. A program that does not measure its inventory accuracy does not know it has one.

The Inventory You Do Not Reconcile Is a Guess

Every inventory drifts. Assets are spun up outside process, shadow SaaS is subscribed with a credit card, a contractor leaves a virtual machine running. An inventory that is not actively reconciled against independent discovery slowly becomes fiction while still being trusted as fact, which is worse than having no inventory at all. Reconciliation is what keeps the inventory honest.

11. Roles and Responsibilities

Roles below are the canonical role names from CERG-GOV-OM-001 §6.1.

12. Regulatory and Framework Alignment Summary

13. Document Control

Revision History

Review Triggers

• Material change to the asset estate, environments, or inventory tooling
• Publication of the Data Governance and Classification Standard, which sets the classification scheme
• Revision of NIST CSF, CIS Controls, or NERC-CIP CIP-002
• Internal audit or regulatory finding affecting asset inventory
• Direction from the CISO

Cyber Engineering owns this document. The Engineering Pillar Leader (Platforms) is responsible for initiating reviews, managing the revision cycle, and obtaining Governance Pillar Leader approval, with CISO endorsement, for all changes.

Related Documents

Source: standards/CERG-STD-AM-001_Asset_Management_and_Inventory_Standard.md · Download .md · View on GitHub