This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.
NIST 800-53 (r4) Supplemental Guidance:
Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related control: SI-7.
NIST 800-53 (r5) Discussion:
Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of CM-2(2) for organizations that combine system component inventory and baseline configuration activities.
38North Guidance:
Meets Minimum Requirement:
Maintain an up-to-date and complete inventory of the environment via automated mechanisms (e.g., full discovery scans, etc.)
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Automated mechanisms used to maintain an up-to-date, complete, accurate, and readily available inventory of information system components. System inventory detailing all information system components (e.g., software, network components, etc.) deployed within the environment. Details about each system asset must be listed in a consistent manner and include general asset information (IP address, virtual/public, DNS name/URL, location, type, etc.), unique asset identifier, and the asset owner.
Observe the inventory process showing how inventory is generated prior to running a vulnerability scan.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD