Organizational Control: Information System Component Inventory

Control ID: CM-8 Information System Component Inventory	Family: Configuration Management	Source: NIST 800-53r4
Control: The organization: Develops and documents an inventory of information system components that: Accurately reflects the current information system; Includes all components within the authorization boundary of the information system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and Reviews and updates the information system component inventory [Assignment: organization-defined frequency].
Supplemental Guidance: Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related Controls: CM-2, CM-6, PM-5
Control Enhancements: (1) Information System Component Inventory \| Updates During Installations / Removals The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates. Supplemental Guidance: Related Controls: SI-7 (12) Information System Component Inventory \| Automated Unauthorized Component Detection The organization: Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]]. Supplemental Guidance: This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing. Related Controls: AC-17, AC-19, CA-7, RA-5, SI-3, SI-4, SI-7, AC-18, SI-7 (13) Information System Component Inventory \| Accountability Information The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components. Supplemental Guidance: Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g.,component is determined to be the source of a breach/compromise, component needs to be recalled/replaced, or component needs to be relocated). Related Controls: N/A (14) Information System Component Inventory \| No Duplicate Accounting Of Components The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories. Supplemental Guidance: This control enhancement addresses the potential problem of duplicate accounting of information system components in large or complex interconnected systems. Related Controls: N/A (11) Information System Component Inventory \| Automated Maintenance The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components. Supplemental Guidance: Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related Controls: SI-7
References: NIST Special Publication 800-128.
Mechanisms:
Protocol Implementation Conformance Statements: N/A