CIP-X

Understanding the CIP-X-101 Standard

A comprehensive guide to the Asset Registry standard for cryptographic device inventory management.

Purpose of the Asset Registry

CIP-X-101 v0.2.0

The Asset Registry is the authoritative inventory of every device that stores, manages, or facilitates access to cryptographic assets. Every security control in the CIP-X framework depends on this registry. If a device is not registered, it cannot be secured, audited, or controlled.

Core Principle: You cannot protect what you do not know exists. The registry serves as the single source of truth for every cryptographic device across your organization, spanning physical data centers, cloud environments, and hybrid deployments.

Data Model

Each registered device maps to a database record with these fields. The device_id serves as the primary key and is referenced across all other CIP-X standards.

FieldType
device_idstring (PK)
device_namestring
serial_numberstring
modelstring
manufacturerstring
device_typeenum
physical_locationstring
jurisdictionstring
ownerstring
managerstring
statusenum
tierenum
control_pathjson
last_verifiedtimestamp
next_verificationtimestamp

Device Types

The registry classifies every device into one of four functional categories. Each type has distinct security requirements and operational characteristics.

HSM

Hardware Security Module

Dedicated tamper-resistant hardware for cryptographic key storage and operations. HSMs provide the highest level of key protection and are typically used for root keys and high-value signing operations.

Thales Luna HSM 7Entrust nShield Connect XC

Validator

Blockchain Validator Node

Servers that participate in blockchain consensus by proposing and attesting to blocks. Validators hold staking keys and must maintain high uptime to avoid slashing penalties.

Dell PowerEdge R760HPE ProLiant DL380 Gen11

RPC Node

Remote Procedure Call Node

Infrastructure nodes that serve blockchain data to applications via JSON-RPC APIs. They maintain a full copy of the chain state and process read/write requests.

On-premise Dell PowerEdge R660Cloud-hosted AWS c6i.2xlarge

Signing Server

Transaction Signing Server

Specialized servers that manage signing workflows, applying policy checks before authorizing cryptographic signatures. They sit between applications and HSMs to enforce business logic.

Dell PowerEdge R760HPE ProLiant DL380 Gen11

Tier Classification

Every device is assigned a tier based on CIP-X-103. The tier determines verification frequency, physical security requirements, and access controls.

Tier 1

Critical

Monthly

Devices that directly custody, sign, or authorize cryptographic operations involving high-value assets. Compromise of a Tier 1 device could result in immediate, irreversible loss of funds.

Required Controls

  • Tamper-evident physical enclosures
  • Biometric + badge access
  • Dedicated network VLANs
  • 24/7 monitoring with automated alerts
  • Monthly verification cycles
Tier 2

Important

Quarterly

Devices that support critical operations but do not directly hold keys. Compromise could disrupt service or expose sensitive data, but does not directly enable asset theft.

Required Controls

  • Locked cabinet or cage
  • Badge-only physical access
  • Segmented network VLANs
  • Business-hours monitoring
  • Quarterly verification cycles
Tier 3

Standard

Semi-annual

Non-production devices used for testing, development, or staging. These devices do not interact with mainnet assets and operate in isolated environments.

Required Controls

  • Standard rack placement
  • Badge access to facility
  • Isolated test network VLANs
  • Standard logging
  • Semi-annual verification cycles

Device Statuses

Every device has exactly one operational status at any given time. Status transitions are logged and auditable.

Active

Device is fully operational, connected to the network, and performing its designated function. All security controls are in place and verified.

Maintenance

Device is temporarily taken offline for firmware updates, hardware repairs, or scheduled maintenance. Security controls remain enforced during this period.

Retired

Device has been removed from active duty but has not yet been physically decommissioned. Keys may still reside on the device pending secure erasure procedures.

Decommissioned

Device has been securely wiped, physically disconnected, and removed from the network. All cryptographic material has been destroyed per the key destruction protocol.

Verification Schedule

Each device must be periodically verified to confirm its physical location, operational status, and security controls match the registry record. The verification frequency is determined by the device tier:

TierFrequencyOverdue Threshold
Tier 1Every 30 daysnext_verification < now()
Tier 2Every 90 daysnext_verification < now()
Tier 3Every 180 daysnext_verification < now()

Warning: Overdue devices are flagged on the dashboard with a red indicator. An overdue verification means the registry can no longer guarantee that the physical and logical state of the device matches its record.

Control Path

The control_path field: records the complete chain of physical and logical control from the device to the personnel who can access it. Stored as a JSON object with five components:

host_system

Whether the device runs on bare-metal, a VM, or a cloud instance (e.g., EC2)

physical_container

The physical enclosure type: tamper-evident cage, locked cabinet, or standard rack

data_center

The specific facility where the device is located

network_path

Network segmentation: dedicated VLAN, VPC peering, or public internet exposure

personnel_access

Required authentication to physically reach the device: biometric, badge, IAM role, etc.