Before you can secure your cyber assets, you need to know what and where they are, the functions they perform, and how they are configured. Once you have all of this information, you need to update this information on an ongoing basis as assets are added or removed, or as their configurations change.  But you need to do more than this; you need to establish and execute processes, procedures and technology for controlling changes to cyber assets and their configurations. 

A large percentage of cyber vulnerabilities are introduced into the network because of configuration changes (e.g., a new software package is loaded, a small wireless LAN is deployed to make it easier for a vendor to access a system, or passwords are removed from a system because a manager could never commit it to memory).  Only a rigorous program of authorizing, testing, implementing and documenting configuration changes will allow you to maintain the security level you have attained.