IT Asset Management

Volume A:

Executive Summary

Michael Stone

Leah Kauffman, Editor-in-Chief

National Cybersecurity Center of Excellence

Information Technology Laboratory

Chinedum Irrechukwu

Harry Perper

Devin Wynne

The MITRE Corporation

McLean, VA

September 2018

This publication is available free of charge from:

The first draft of this publication is available free of charge from:


Executive Summary

  • The National Cybersecurity Center of Excellence (NCCoE), part of the National Institute of Standards and Technology (NIST), developed an example solution that financial services companies can use for a more secure and efficient way of monitoring and managing their many information technology (IT) hardware and software assets.
  • The security characteristics in our IT asset management platform are derived from the best practices of standards organizations, including the Payment Card Industry Data Security Standard (PCI DSS).
  • The NCCoE’s approach uses open source and commercially available products that can be included alongside current products in your existing infrastructure. It provides a centralized, comprehensive view of networked hardware and software across an enterprise, reducing vulnerabilities and response time to security alerts, and increasing resilience.
  • The example solution is packaged as a “How To” guide that demonstrates implementation of standards-based cybersecurity technologies in the real world. The guide helps organizations gain efficiencies in asset management, while saving them research and proof of concept costs.


Large financial services organizations employ tens or hundreds of thousands of individuals. At this scale, the technology base required to ensure smooth business operations (including computers, mobile devices, operating systems, applications, data, and network resources) is massive. To effectively manage, use, and secure each of those assets, you need to know their locations and functions. While physical assets can be labeled with bar codes and tracked in a database, this approach does not answer questions such as “What operating systems are our laptops running?” and “Which devices are vulnerable to the latest threat?”

Computer security professionals in the financial services sector told us they are challenged by the vast diversity of hardware and software they attempt to track, and by a lack of centralized control: A large financial services organization can include subsidiaries, branches, third-party partners, contractors, as well as temporary workers and guests. This complexity makes it difficult to assess vulnerabilities or to respond quickly to threats, and to accurately assess risk in the first place (by pinpointing the most business essential assets).


The NIST Cybersecurity IT Asset Management Practice Guide is a proof-of-concept solution demonstrating commercially available technologies that can be implemented to track the location and configuration of networked devices and software across an enterprise. Our example solution spans traditional physical asset tracking, IT asset information, physical security, and vulnerability and compliance information. Users can now query one system and gain insight into their entire IT asset portfolio.

This guide:

  • maps security characteristics to guidance and best practices from NIST and other standards organizations, including the PCI DSS

  • provides:

    • a detailed example solution with capabilities that address security controls
    • instructions for implementers and security engineers, including examples of all the necessary components for installation, configuration, and integration
  • is modular and uses products that are readily available and interoperable with your existing IT infrastructure and investments

While the NCCoE used a suite of commercial products to address this challenge, this guide does not endorse these particular products, nor does it guarantee compliance with any regulatory initiatives. Your organization’s information security experts should identify the products that will best integrate with your existing tools and IT system infrastructure. Your organization can adopt this solution or one that adheres to these guidelines in whole, or you can use this guide as a starting point for tailoring and implementing parts of a solution.


Our example solution has the following benefits:

  • enables faster responses to security alerts by revealing the location, configuration, and owner of a device
  • increases cybersecurity resilience: you can focus attention on the most valuable assets
  • provides detailed system information to auditors
  • determines how many software licenses are actually used in relation to how many have been paid for
  • reduces help desk response times: staff will know what is installed and the latest pertinent errors and alerts
  • reduces the attack surface of each device by ensuring that software is correctly patched

Share Your Feedback

You can view or download the guide at If you adopt this solution for your own organization, please share your experience and advice with us. We recognize that technical solutions alone will not fully enable the benefits of our solution, so we encourage organizations to share lessons learned and best practices for transforming the processes associated with implementing this guide.

To learn more by arranging a demonstration of this example implementation, contact the NCCoE at

Technology Partners/Collaborators

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement (CRADA) to collaborate with NIST in a consortium to build this example solution.


Certain commercial entities, equipment, products, or materials may be identified by name or company logo or other insignia in order to acknowledge their participation in this collaboration or to describe an experimental procedure or concept adequately. Such identification is not intended to imply special status or relationship with NIST or recommendation or endorsement by NIST or NCCoE, neither is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.