PM 5 SYSTEM INVENTORY - NIST-SP-800-53-R5/NIST-SP-800-53-R5.github.io GitHub Wiki

Control: Develop and update [Assignment: organization-defined frequency] an inventory of organizational systems.

Discussion: [OMB A-130] provides guidance on developing systems inventories and associated reporting requirements. System inventory refers to an organization-wide inventory of systems, not system components as described in CM-8.

Related Controls: None.

Control Enhancements:

• (1) SYSTEM INVENTORY / INVENTORY OF PERSONALLY IDENTIFIABLE INFORMATION
  Establish, maintain, and update [ Assignment: organization-defined frequency ] an inventory of all systems, applications, and projects that process personally identifiable information.

  Discussion: An inventory of systems, applications, and projects that process personally identifiable information supports the mapping of data actions, providing individuals with privacy notices, maintaining accurate personally identifiable information, and limiting the processing of personally identifiable information when such information is not needed for operational purposes. Organizations may use this inventory to ensure that systems only process the personally identifiable information for authorized purposes and that this processing is still relevant and necessary for the purpose specified therein.

  Related Controls: AC-3, CM-8, CM-12, CM-13, PL-8, PM-22, PT-3, PT-5, SI-12, SI-18.

References: [IR 8062].