CM 12 INFORMATION LOCATION - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

CM-12 INFORMATION LOCATION

Control:

  • a. Identify and document the location of [ Assignment: organization-defined information ] and the specific system components on which the information is processed and stored;
  • b. Identify and document the users who have access to the system and system components where the information is processed and stored; and
  • c. Document changes to the location (i.e., system or system components) where the information is processed and stored.

Discussion: Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17).

Related Controls: AC-2, AC-3, AC-4, AC-6, AC-23, CM-8, PM-5, RA-2, SA-4, SA-8, SA-17, SC-4, SC- 16, SC-28, SI-4, SI-7.

Control Enhancements:

  • (1) INFORMATION LOCATION | AUTOMATED TOOLS TO SUPPORT INFORMATION LOCATION
    Use automated tools to identify [ Assignment: organization-defined information by information type ] on [ Assignment: organization-defined system components ] to ensure controls are in place to protect organizational information and individual privacy.

    Discussion: The use of automated tools helps to increase the effectiveness and efficiency of the information location capability implemented within the system. Automation also helps organizations manage the data produced during information location activities and share such information across the organization. The output of automated information location tools can be used to guide and inform system architecture and design decisions.

    Related Controls: None.

References: [FIPS 199], [SP 800-60-1], [SP 800-60-2].

⚠️ **GitHub.com Fallback** ⚠️