NIST SP 800-53:CONTROLS STANDARD [PDF]

 

FAMILY:CONFIGURATION MANAGEMENT CLASS:OPERATIONAL


CM-8 INFORMATION SYSTEM COMPONENT INVENTORY

Control:
The organization develops, documents, and maintains an inventory of information system components that:
    a. Accurately reflects the current information system;
    b. Is consistent with the authorization boundary of the information system;
    c. Is at the level of granularity deemed necessary for tracking and reporting;
    d. Includes [Assignment: organization-defined information deemed necessary to achieve effective property accountability]; and
    e. Is available for review and audit by designated organizational officials.
    
Supplemental Guidance:
Information deemed to be necessary by the organization to achieve effective property accountability can include, for example, hardware inventory specifications (manufacturer, type, model, serial number, physical location), software license information, information system/component owner, and for a networked component/device, the machine name and network address. Related controls: CM-2, CM-6.
Control Enhancements:
(1) The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.
(2) The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.
Enchancement Supplemental Guidance:
Organizations maintain the information system inventory to the extent feasible. Virtual machines, for example, can be difficult to monitor because they are not visible to the network when not in use. In such cases, the intent of this control enhancement is to maintain as up-to-date, complete, and accurate an inventory as is reasonable.
(3) The organization:
    (a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the addition of unauthorized components/devices into the information system; and
    (b) Disables network access by such components/devices or notifies designated organizational officials.
    
Enchancement Supplemental Guidance:
This control enhancement is applied in addition to the monitoring for unauthorized remote connections in AC-17 and for unauthorized mobile devices in AC-19. The monitoring for unauthorized components/devices on information system networks may be accomplished on an ongoing basis or by the periodic scanning of organizational networks for that purpose. Automated mechanisms can be implemented within the information system and/or in another separate information system or device. Related controls: AC-17, AC-19.
(4) The organization includes in property accountability information for information system components, a means for identifying by [Selection (one or more): name; position; role] individuals responsible for administering those components.
(5) The organization verifies that all components within the authorization boundary of the information system are either inventoried as a part of the system or recognized by another system as a component within that system.
(6) The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.
Enchancement Supplemental Guidance:
: This control enhancement focuses on the configuration settings established by the organization for its information system components, the specific information system components that have been assessed to determine compliance with the required configuration settings, and any approved deviations from established configuration settings in the deployed information system components. Related controls: CM-2, CM-6.
References:
NIST Special Publication 800-128.
Priority and Baseline Allocation:

 
P1 LOW   CM-8 MOD   CM-8 (1) (5) HIGH   CM-8 (1) (2) (3) (4) (5)

ISO/IEC 27001 Annex A Control Mapping:
A.7.1.1  Inventory of assets
A.7.1.2  Ownership of assets

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


NIST Special Publication 800-53: This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States.
Attribution would, however, be appreciated by NIST.

This document was produced from an export of the database beta application released with NIST SP 800-53 REV 3.
The text is unchanged from the information contained in the database. You are free to use this material under the same terms provided by NIST.
Attribution for this arrangement of the material would be appreciated.
Tim Hudson - tjh@cryptsoft.com