Maintaining a complete, authoritative inventory of assets and a clearly defined vulnerability-scanning scope is a foundational requirement under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 (control RA.L2-3.11.2); this post walks through a practical, small-business-friendly approach to identify, classify, and keep endpoints, network gear, and virtual assets within a compliant scanning scope.
Understanding RA.L2-3.11.2 and what "scope" means
RA.L2-3.11.2 requires organizations to identify and track assets that process, store, or transmit Controlled Unclassified Information (CUI) and ensure those assets are included in vulnerability scanning activities. For practical purposes, "scope" is the set of IPs, hostnames, device types, cloud accounts, and asset groups you will routinely discover, maintain in an authoritative inventory (CMDB/asset register), and include in authenticated and unauthenticated scans. The compliance expectation is traceability: you must be able to show auditors how an asset was discovered, why it's in-scope, when it was scanned, and where exceptions are approved and recorded.
Step 1 — Define asset categories and initial boundaries
Endpoints (laptops, desktops, mobile, servers)
Define endpoints as any workstation or server that can access CUI or the systems that do so. For each endpoint capture at minimum: unique asset ID, hostname, IP/MAC, OS and version, owner/operator, whether it handles CUI, management status (e.g., managed by Intune/SCCM/JAMF), and last-seen timestamp. Practical discovery sources for small businesses: AD/SAM tools, Intune/Microsoft Endpoint Manager, JAMF, EDR telemetry (CrowdStrike, Carbon Black, etc.), DHCP lease logs, and periodic agent-based inventory (lightweight inventory agent or MDM agent) to catch remote devices.
Network gear (switches, routers, firewalls, wireless)
Network gear must be inventoried with device role, management IP, firmware/version, SNMP/community or SNMPv3 creds for validation, physical location, and whether it carries CUI traffic. Use network discovery (ARP tables, LLDP/CDP, SNMP queries, and controller/management plane APIs like Cisco DNA Center, Aruba, or Meraki dashboards) to collect a device list. For small shops with a single firewall/router and a layer of managed switches, a weekly SNMP sweep and an export of controller-managed devices can be an authoritative source.
Virtual assets (VMs, containers, images, cloud instances)
Virtual assets include VMs, containers, templates/images, serverless functions, and storage used by workloads handling CUI. Inventory these via hypervisor APIs (VMware vCenter/vSphere REST API, Hyper-V WMI), cloud provider APIs (AWS CLI / SDK, Azure Resource Graph, GCP inventory), and container registries (scan images and maintain image digests). Include build metadata (image ID, build date), owner/project tag, and whether ephemeral instances are scanned at build time or during runtime.
Step 2 — Build an authoritative inventory (practical steps)
Implement one authoritative source of truth (CMDB or lightweight asset database). Practical approach for a small business: start by automating data pulls into a single CSV/DB from critical sources — AD, DHCP, EDR/MDM, hypervisor/cloud APIs, and network controller exports. Normalize fields (asset_id, hostname, ip, mac, type, owner, business_impact, cui_flag, last_seen, scan_status). Use simple automation (PowerShell/Ansible/Python scripts scheduled via cron/Task Scheduler) to update daily. Maintain reconciliation jobs that highlight records seen by one system but missing from the CMDB — e.g., a VM found in vCenter but not in CMDB triggers a ticket for owner tagging and CUI assessment.
Step 3 — Define scanning scope, frequency, and methods
Translate the inventory into a scanning scope document: lists of IP ranges, host groups, cloud accounts, and device classes. For NIST/CMMC Level 2, prioritize authenticated scans for endpoints and servers (SSH keys or WinRM/WMI credentials) to get accurate vulnerability and patch state, and use SNMP/SSH/NETCONF for network gear where supported. Set scan frequency based on risk tier: critical CUI-handling assets scanned weekly, standard servers monthly, and low-risk assets quarterly. For ephemeral VMs and containers, integrate scanning into CI/CD (scan images before deployment) and inventory new instances to trigger a first-scan within hours of creation.
Implementation notes, tools, and tuning
Use a combination of agent-based and agentless discovery: agents (EDR/MDM) give reliable last-seen and owner mapping for remote endpoints, while network scans/discovery (Nmap, ARP/LLDP, SNMP) and cloud APIs populate infrastructure. For scanning use authenticated Nessus/Qualys/Tenable-style scans where possible and non-disruptive unauthenticated scans for network gear that cannot accept creds. Tune scans to avoid disruption: disable intrusive checks on production appliances, schedule during maintenance windows, and whitelist management networks. Maintain an exceptions register for assets that cannot be scanned (e.g., third-party managed gear) and document compensating controls and timelines for remediation.
Compliance tips and small-business scenarios
Example: a 25-person defense subcontractor has a mixed environment (on-prem VMware, AWS Dev/Test, remote laptops). Start by exporting vCenter VM lists and AWS inventory (ec2 describe-instances), pull Intune and DHCP leases, and consolidate into a Google Sheet/CMDB. Tag every VM and EC2 instance with project and CUI flag; enforce tagging via policies. For scanning, use agent-based checks on laptops (EDR/MDM) and authenticated scans for on-prem servers. Map each asset to a custodian and track scan results into ticketing (Jira/Trello) for remediation. Best practices: document scope-change process, retain scan logs (at least 12 months), and ensure scan evidence is easy to present in an audit (screenshots/exports + timestamps).
Risks of not implementing a correct inventory and scope
Without an authoritative inventory and defined scanning scope you risk unpatched systems that process CUI, undetected exposed services, failed CMMC assessments, contract disqualification, and increased likelihood of breaches. Small businesses commonly lose track of cloud resources and laptops; an attacker can pivot from an unmanaged instance or an unscanned VM template. Additionally, inconsistent scope leads to missed scans, no proof of remediation timelines, and ultimately failed evidence collection during an audit.
In summary, meeting RA.L2-3.11.2 requires a repeatable process: define asset categories, build an authoritative, continuously reconciled inventory, map assets to CUI risk, and codify scanning scope and cadence with authenticated scans where possible. For small businesses this can be achieved incrementally—start with automation pulls from AD, DHCP, EDR, hypervisor/cloud APIs, implement a simple CMDB, and evolve scanning processes and exception handling until you can demonstrate traceable discovery -> scan -> remediation workflows during assessment.
