CM 8 SYSTEM COMPONENT INVENTORY - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control:

• a. Develop and document an inventory of system components that:
  • 1 . Accurately reflects the system;
  • 2 . Includes all components within the system;
  • 3 . Does not include duplicate accounting of components or components assigned to any other system;
  • 4 . Is at the level of granularity deemed necessary for tracking and reporting; and
  • 5 . Includes the following information to achieve system component accountability: [ Assignment: organization-defined information deemed necessary to achieve effective system component accountability ]; and
• b. Review and update the system component inventory [ Assignment: organization-defined frequency ].

Discussion: System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.

Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components.

Related Controls: CM-2, CM-7, CM-9, CM-10, CM-11, CM-13, CP-2, CP-9, MA-2, MA-6, PE-20, PL- 9, PM-5, SA-4, SA-5, SI-2, SR-4.

Control Enhancements:

• (1) SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATION AND REMOVAL
  Update the inventory of system components as part of component installations, removals, and system updates.

  Discussion: Organizations can improve the accuracy, completeness, and consistency of system component inventories if the inventories are updated as part of component installations or removals or during general system updates. If inventories are not updated at these key times, there is a greater likelihood that the information will not be appropriately captured and documented. System updates include hardware, software, and firmware components.

  Related Controls: PM-16.

• (2) SYSTEM COMPONENT INVENTORY | AUTOMATED MAINTENANCE
  Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [ Assignment: organization-defined automated mechanisms ].

  Discussion: Organizations maintain system inventories to the extent feasible. For example, virtual machines can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. Automated maintenance can be achieved by the implementation of CM-2(2) for organizations that combine system component inventory and baseline configuration activities.

  Related Controls: None.

• (3) SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION
  

  • (a) Detect the presence of unauthorized hardware, software, and firmware components within the system using [ Assignment: organization-defined automated mechanisms ] [ Assignment: organization-defined frequency ]; and
  • (b) Take the following actions when unauthorized components are detected: [ Selection (one or more): disable network access by such components; isolate the components; notify [ Assignment: organization-defined personnel or roles ]].

  Discussion: Automated unauthorized component detection is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms may also be used to prevent the connection of unauthorized components (see CM-7(9)). Automated mechanisms can be implemented in systems or in separate system components. When acquiring and implementing automated mechanisms, organizations consider whether such mechanisms depend on the ability of the system component to support an agent or supplicant in order to be detected since some types of components do not have or cannot support agents (e.g., IoT devices, sensors). Isolation can be achieved , for example, by placing unauthorized system components in separate domains or subnets or quarantining such components. This type of component isolation is commonly referred to as “sandboxing.”

  Related Controls: AC-19, CA-7, RA-5, SC-3, SC-39, SC-44, SI-3, SI-4, SI-7.

• (4) SYSTEM COMPONENT INVENTORY | ACCOUNTABILITY INFORMATION
  Include in the system component inventory information, a means for identifying by [ Selection (one or more): name; position; role ], individuals responsible and accountable for administering those components.

  Discussion: Identifying individuals who are responsible and accountable for administering system components ensures that the assigned components are properly administered and that organizations can contact those individuals if some action is required (e.g., when the component is determined to be the source of a breach, needs to be recalled or replaced, or needs to be relocated).

  Related Controls: AC-3.

• (5) SYSTEM COMPONENT INVENTORY | NO DUPLICATE ACCOUNTING OF COMPONENTS
  [Withdrawn: Incorporated into CM-8.]

• (6) SYSTEM COMPONENT INVENTORY | ASSESSED CONFIGURATIONS AND APPROVED DEVIATIONS
  Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.

  Discussion: Assessed configurations and approved deviations focus on configuration settings established by organizations for system components, the specific components that have been assessed to determine compliance with the required configuration settings, and any approved deviations from established configuration settings.

  Related Controls: None.

• (7) SYSTEM COMPONENT INVENTORY | CENTRALIZED REPOSITORY
  Provide a centralized repository for the inventory of system components.

  Discussion: Organizations may implement centralized system component inventories that include components from all organizational systems. Centralized repositories of component inventories provide opportunities for efficiencies in accounting for organizational hardware, software, and firmware assets. Such repositories may also help organizations rapidly identify the location and responsible individuals of components that have been compromised, breached, or are otherwise in need of mitigation actions. Organizations ensure that the resulting centralized inventories include system-specific information required for proper component accountability.

  Related Controls: None.

• (8) SYSTEM COMPONENT INVENTORY | AUTOMATED LOCATION TRACKING
  Support the tracking of system components by geographic location using [ Assignment: organization-defined automated mechanisms ].

  Discussion: The use of automated mechanisms to track the location of system components can increase the accuracy of component inventories. Such capability may help organizations rapidly identify the location and responsible individuals of system components that have been compromised, breached, or are otherwise in need of mitigation actions. The use of tracking mechanisms can be coordinated with senior agency officials for privacy if there are implications that affect individual privacy.

  Related Controls: None.

• (9) SYSTEM COMPONENT INVENTORY | ASSIGNMENT OF COMPONENTS TO SYSTEMS
  

  • (a) Assign system components to a system; and
  • (b) Receive an acknowledgement from [ Assignment: organization-defined personnel or roles ] of this assignment.

  Discussion: System components that are not assigned to a system may be unmanaged, lack the required protection, and become an organizational vulnerability.

  Related Controls: None.

References: [OMB A-130], [SP 800-57-1], [SP 800-57-2], [SP 800-57-3], [SP 800-128], [IR 8011-2], [IR 8011-3].