The higher-ed ITAM glossary.

IT asset management (ITAM) is the practice of tracking and governing an organization's hardware, software, and cloud assets across their full lifecycle — procurement, deployment, maintenance, and disposal — as a single system of record. In higher education, ITAM spans laptops, lab instruments, software licenses, and grant-funded equipment, and underpins financial reporting, security, and audit.

In HabeoHabeo is a higher-education-native ITAM platform: the institutional system of record for everything a university tags.

A configuration management database (CMDB) is a repository that stores an organization's IT assets (configuration items) and the relationships between them — which device runs which software, who it is assigned to, and what it depends on. A modern CMDB is a live relationship graph rather than a periodic spreadsheet import.

In HabeoHabeo's CMDB is built from live MDM and HRIS data, with hosts, software, people, departments, and grants as first-class, typed relationships.

GASB 34 and GASB 35 are accounting standards from the Governmental Accounting Standards Board that govern financial reporting for U.S. state and local governments and public colleges and universities. They require institutions to capitalize and depreciate long-lived assets (equipment, infrastructure) and report them in government-wide financial statements. GASB 35 specifically extends the GASB 34 reporting model to public higher-education institutions.

In HabeoHabeo models GASB 34/35 straight-line depreciation per capital class and produces the roll-forward auditors expect.

The Higher Education Community Vendor Assessment Toolkit (HECVAT) is a standardized security and privacy questionnaire that colleges and universities use to assess third-party vendors handling institutional data. Maintained by the EDUCAUSE Higher Education Information Security Council, it comes in Full, Lite, and On-Premise editions; HECVAT 4.x is the current generation. A published HECVAT response lets a vendor clear institutional security review faster.

In HabeoHabeo publishes a HECVAT 2024 response — a Lite narrative plus the full 331-question HECVAT 4.1.5 workbook (XLSX) — at /compliance/hecvat.

InCommon is the identity federation for U.S. research and education, operated by Internet2. It lets students, faculty, and staff use their home-institution credentials to access federated services through SAML-based single sign-on (commonly via Shibboleth), without each service managing its own accounts. Membership signals that a service integrates with the standard higher-ed identity fabric.

In HabeoHabeo supports InCommon-compatible SAML SSO; InCommon Federation membership is on the roadmap for Q4 FY26.

2 CFR §200.313 is the section of the federal Uniform Guidance that governs equipment acquired under federal awards. It requires recipients (including universities) to maintain detailed property records, conduct a physical inventory at least every two years, keep a control system to prevent loss or theft, maintain the equipment, and follow defined disposition procedures — including requesting disposition instructions from the awarding agency for equipment over $5,000 fair market value.

In HabeoHabeo tags federally funded assets at acquisition, schedules the biennial inventory, and gates disposition behind grant-manager approval.

Mobile device management (MDM) is software that enrolls, configures, and monitors an organization's endpoints — Macs, Windows PCs, iPhones, iPads, Chromebooks — from a central console. MDM platforms hold an authoritative, continuously updated inventory of managed devices, which makes them the ideal discovery source for IT asset management.

In HabeoHabeo ingests Jamf Pro, Microsoft Intune, and Google Admin continuously — no agents to deploy — so the asset record stays live.

SCIM (System for Cross-domain Identity Management) is an open standard, defined in RFCs 7643 and 7644, for automating the exchange of user identity information between systems. It lets an identity provider automatically create, update, and deactivate accounts in downstream applications as people join, move, or leave — eliminating manual provisioning.

In HabeoHabeo supports SCIM 2.0 provisioning alongside SAML SSO.

SAML (Security Assertion Markup Language) is an XML-based open standard for single sign-on. It lets an identity provider pass authenticated identity assertions to a service provider, so a user signs in once with their institutional account and gains access to connected applications without separate passwords.

In HabeoHabeo authenticates via SAML SSO and is InCommon-compatible.

The Carnegie Classification is the standard framework for categorizing U.S. colleges and universities — for example R1 and R2 doctoral universities by research activity, plus baccalaureate, master's, and associate's categories. Stewarded by the American Council on Education and the Carnegie Foundation, it is widely used to benchmark and segment institutions.

In HabeoHabeo prices by Carnegie classification and endpoint band rather than per device or per seat.

Chargeback and showback are methods for attributing IT costs to the departments, colleges, or grants that consume them. Chargeback bills those costs back to the unit's budget; showback reports the costs for visibility without an internal transfer. Both depend on an accurate asset and usage record tied to cost centers.

In HabeoHabeo allocates hardware, software, and shared-service spend by usage, headcount, or cost-center rule and exports monthly summaries to the finance ledger.

Disposition is the controlled retirement of an asset at end of life — sale, transfer, recycling, or scrap — with the financial and compliance record updated accordingly. Surplus management is the process of redistributing or reselling still-usable equipment a department no longer needs. For federally funded equipment, disposition is governed by Uniform Guidance §200.313.

In HabeoHabeo tracks the full disposal lifecycle — retired, disposed, lost, stolen — with surplus redistribution and resale built in.

Depreciation is the accounting allocation of a capital asset's cost over its useful life. Public universities most commonly use straight-line depreciation, recognizing equal expense each year, to satisfy GASB 34/35 reporting. Accurate depreciation depends on an asset record with acquisition cost, in-service date, and capital class.

In HabeoHabeo derives depreciation directly from the asset ledger, separating federally funded basis from institutional basis.

PunchOut is a procurement integration that lets a buyer browse a supplier's catalog from inside their own purchasing system and return a populated cart for approval. It is implemented over the cXML or OCI (Open Catalog Interface) protocols and is the standard way universities buy against negotiated consortium and direct-vendor catalogs.

In HabeoHabeo supports consortium punchout catalogs (OCI / cXML) to E&I Cooperative Services, OMNIA Partners, and direct vendors, capturing the award and funding source at acquisition.

A system of record is the authoritative data source for a given entity — the single place the organization trusts for the truth about it. For physical and digital assets, the asset system of record is where every other system (finance, security, ITSM, audit) reconciles against, so the data must be complete, current, and governed.

In HabeoHabeo is the asset system of record: the one place hardware, software, IoT, and grant-funded equipment reconcile.

An endpoint is any device that connects to an organization's network — laptop, desktop, phone, tablet, server, or IoT device. In higher-education IT asset management, the endpoint count is the standard unit for sizing the managed fleet and is commonly used to scope licensing and pricing.

In HabeoHabeo's institutional pricing is fixed by endpoint band, not per device.

The Family Educational Rights and Privacy Act (FERPA) is a U.S. federal law that protects the privacy of student education records. It governs how institutions and their vendors may collect, store, and disclose personally identifiable information from those records, and is a baseline requirement in higher-education vendor security review.

In HabeoHabeo is FERPA-aware in its data handling and documents that posture in its published HECVAT response.

SOC 2 Type II is an independent audit report, based on the AICPA Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy), that evaluates whether a service organization's controls operated effectively over a period of time — typically 3 to 12 months. Unlike Type I, which is a point-in-time snapshot, Type II tests controls across the period.

In HabeoHabeo is SOC 2 Type II ready, with the audit period closing Q3 FY26.