If you’re a small DoD contractor, your CMMC asset inventory can feel like one more spreadsheet to babysit. But for Level 2, it’s not “nice to have.” It’s a basic proof point that you understand what’s in your environment, what touches CUI, and what protects it.
I like to think of asset inventory like a tool crib on a job site. If you can’t name what you have, where it is, and who’s responsible, you can’t protect it, patch it, or explain it to an assessor without a lot of stress.
In this post, I’ll show what counts as an asset for CMMC Level 2 scoping, share a copy/paste inventory template, and give you a 1 to 2-week plan to build it and keep it current.
What counts as an “asset” in CMMC Level 2 scoping
For Level 2, “asset” is broader than laptops and servers. Your inventory needs to reflect the assessment scope and how you handle Controlled Unclassified Information (CUI). The DoD’s Level 2 scoping guide is the best plain-English reference, and I keep it bookmarked for every project (CMMC Scoping Guide Level 2).
In practical terms, I inventory assets in these categories:
- CUI Assets: Endpoints, servers, shares, apps, and cloud resources that process, store, or transmit CUI.
- Security Protection Assets: Firewalls, identity providers, EDR/AV, email security, SIEM, vulnerability scanners. Even if they never touch CUI, they protect the environment and still matter.
- Contractor Risk Managed Assets: “Nearby” systems that could impact CUI because they connect to the same identity, network, or admin plane, but are controlled by policy and technical guardrails.
- Specialized Assets: Lab gear, OT, IoT, test stands, tools, or government-furnished equipment. If they connect, they count.
- Out-of-scope assets: Truly separate systems, but don’t ignore them. Track them at a basic level so you can prove separation.
The big miss I see: teams forget to list cloud and SaaS. Microsoft 365 tenants, SharePoint sites, Teams, Entra ID, ticketing systems, file transfer tools, and collaboration platforms can all store or move CUI. If you want a readable breakdown of CMMC scoping and asset categories, this summary aligns well with the DoD guidance (CMMC scoping and asset categories).
Also include service providers. If an MSP manages your endpoints, your firewall, your backups, or your Office 365 tenant, that provider is part of your operational reality. Inventory the provider relationship, their access path, and what they administer.
A copy/paste CMMC Level 2 asset inventory template (spreadsheet-style)
This is the template I use when the goal is “audit-ready without gold-plating.” Keep it as one sheet to start. If you grow, split into tabs (Endpoints, Network, Servers, Cloud, SaaS, Providers).
| Unique ID | Asset type | Owner | Location | System role | OS/firmware | Network segment | Serial/hostname | IP/MAC | Cloud account/subscription | CUI access/processing/storage | Authorization status | Criticality | Last seen | Patch level | EDR/AV status | Encryption | Backup | Disposal date |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| END-001 | Laptop | J.Smith | HQ | CUI user endpoint | Win 11 23H2 | CUI-VLAN | JS-LT-0442 / SN123 | 10.20.5.23 / 00:11… | M365 Tenant A | Access (email, Teams) | Authorized | High | 2026-02-10 | Feb 2026 | Defender for Endpoint Healthy | BitLocker On | OneDrive + image monthly | |
| SRV-003 | VM server | IT | Azure | File share for CUI | Win Server 2022 | CUI-Subnet | CUI-FS01 | 10.20.2.10 | Azure Sub 001 | Storage | Authorized | High | 2026-02-11 | Feb 2026 | EDR Installed | Disk encryption On | Daily + immutable | |
| SAAS-007 | SaaS | IT | Cloud | Ticketing | SaaS (vendor) | N/A | Tenant: Helpdesk | N/A | Contract PO 8841 | None (no CUI) | Risk-managed | Medium | 2026-02-01 | Vendor managed | SSO + MFA | N/A | Export monthly | 2028-12-31 |
A few notes that keep assessors from poking holes:
- Unique ID: Make it stable. Don’t reuse IDs, even after disposal.
- Authorization status: Use simple values (Authorized, Risk-managed, Specialized, Out-of-scope, Pending).
- Last seen: This is how you catch “ghost laptops” that still exist in your directory but left the company.
- CUI access/processing/storage: Don’t write essays. Just pick one or two words that describe the relationship.
If you want extra community templates to cross-check your approach, I’ve pointed teams to the free resources list at (Policy templates and tools for CMMC and 800-171).
Build your first inventory in 1 to 2 weeks (without stopping real work)
Most small contractors don’t have a CMDB team. That’s fine. A strong CMMC asset inventory comes from a tight process, not fancy tooling. Here’s the plan I use when time is short.
- Day 1: Lock the scope story. Identify where CUI is received, stored, processed, and sent. Write down the “CUI path” (email, SharePoint, file server, SFTP, portal).
- Days 2 to 3: Capture endpoints and identities. Export device lists from your MDM (Intune, Jamf) or directory, then validate with a quick hands-on check for stragglers.
- Days 4 to 5: Capture network and servers. Firewalls, switches, Wi-Fi, VPN, hypervisors, and any on-prem servers. Don’t forget printers if they can scan-to-email or scan-to-share.
- Days 6 to 7: Capture cloud and SaaS. Tenant names, subscriptions, key admin accounts, and where data lives (Exchange, SharePoint, Teams, third-party apps).
- Week 2: Reconcile and assign owners. Every asset gets an owner, a status, and a “last seen.” Then spot-check reality against the list.
If you’re stuck on what to include for scoping, this asset identification walkthrough is a helpful sanity check (Identify assets for CMMC scoping).
This is also where I tie in the real-world needs of Small Business IT. You might be juggling Cloud Infrastructure work, an Office 365 Migration, aging Data Center Technology, and even Restaurant POS Support and Kitchen Technology Solutions. That’s normal. The inventory becomes your anchor for Cybersecurity Services like Endpoint Security, Device Hardening, and Business Continuity & Security, because you can’t protect what you can’t name.
How I keep the inventory current (automations, reconciliations, and triggers)
The inventory fails when it becomes a once-a-year cleanup project. I keep it alive with two habits: automatic feeds where possible, and calendar-based reviews where automation doesn’t exist.
Automations that help right away: Intune device exports, Defender for Endpoint device health, Entra ID sign-in logs, vulnerability scanner reports, and RMM tools from your MSP. Even if you don’t have a full tool stack, pick one “source of truth” and update the sheet from it monthly.
Reconciliations I schedule: a 15-minute monthly review (new assets, retired assets, exceptions), and a deeper quarterly check (random sample of 10 assets to confirm hostname, encryption, EDR, and patch status).
Triggers that require an immediate update: new hire or termination, new laptop purchase, firewall or VPN change, adding a SaaS app with SSO, new cloud subscription, moving CUI storage locations, or any incident that changes trust (lost device, compromised account).
Minimum viable vs mature inventory
| Inventory element | Minimum viable inventory | Recommended mature inventory |
|---|---|---|
| Coverage | All in-scope endpoints, servers, network, cloud/SaaS | Adds specialized and out-of-scope with separation proof |
| Accuracy | Monthly updates | Automated “last seen” + quarterly sampling |
| Fields | ID, type, owner, CUI flag, last seen | Full template fields + lifecycle and control evidence |
| Evidence | Spreadsheet + screenshots | Exports, tickets, approvals, and change records |
If you want this to turn into a repeatable program, that’s where a Business Technology Partner earns their keep. My Technology Consulting approach is simple: Tailored Technology Services that support Infrastructure Optimization, Cloud Management, Secure Cloud Architecture, and a real IT Strategy for SMBs. It’s not “more tools.” It’s fewer surprises during assessment and fewer late-night fires during normal operations. That’s the point of Managed IT for Small Business and practical Innovative IT Solutions that don’t create more admin work.
Quick checklist I use before assessments
- Inventory covers CUI, security tools, cloud/SaaS, and service providers
- Every asset has an owner and an authorization status
- “Last seen” dates are recent and explainable
- Encryption, EDR/AV, and patch level are populated for endpoints and servers
- Cloud tenants/subscriptions are listed with admin access paths
- Disposal dates exist for retired assets (or a documented plan)
Conclusion
A clean CMMC asset inventory is one of the fastest ways to reduce assessment risk for a small contractor. When I keep the list tight, current, and tied to real operational triggers, the rest of Level 2 work gets easier, patching gets faster, and exceptions stop hiding in plain sight. If your inventory feels messy right now, start with the minimum viable version this week, then grow it into something you can trust.
Discover more from Guide to Technology
Subscribe to get the latest posts sent to your email.