Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
b. Reviews and updates the information system component inventory [FedRAMP Assignment: (L)(M)(H) at least monthly].
CM-8 Additional FedRAMP Requirements and Guidance: must be provided at least monthly or when there is a change.
NIST 800-53 (r4) Supplemental Guidance:
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5.
References: NIST Special Publication 800-128.
NIST 800-53 (r5) Discussion:
System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.
Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components.
38North Guidance:
Meets Minimum Requirement:
Develop and maintain an asset inventory that details all information system components (e.g., software, network components, etc.) deployed within the environment. Details about each system asset maintained in the inventory must be listed in a consistent manner and include general asset information (IP address, virtual/public, DNS name/URL, location, type, etc.), unique asset identifier, and the asset owner.
Observe the inventory process showing how inventory is generated prior to running a vulnerability scan
The asset inventory must be updated at least monthly or when changes occur that impact components listed in the inventory. Changes include deployment of new cloud resources, relocation of systems, or removal/disposal of system components.
Utilize the FedRAMP template for documenting the system component inventory. The template can be found using the following link and searching for "SSP ATTACHMENT 13 - FedRAMP Integrated Inventory Workbook Template": https://www.fedramp.gov/documents-templates/
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
FedRAMP inventory workbook (all hardware, software, network components) in the FedRAMP template detailing all information system components deployed within the environment. Details about each system asset must be listed in a consistent manner and include general asset information (IP address, virtual/public, DNS name/URL, location, type, etc.), unique asset identifier, and the asset owner.
Evidence of monthly reviews/updates of the system component inventory.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse