ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained


[ Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

Ex1: Maintain inventories for all types of software and services, including commercial-off-the-shelf, open-source, custom applications, API services, and cloud-based applications and services

Ex2: Constantly monitor all platforms, including containers and virtual machines, for software and service inventory changes

Ex3: Maintain an inventory of the organization's systems