ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles

Description

[csf.tools Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

1st: 1st Party Risk

3rd: 3rd Party Risk

Ex1: Integrate cybersecurity considerations throughout the life cycles of systems, hardware, software, and services

Ex2: Integrate cybersecurity considerations into product life cycles

Ex3: Identify unofficial uses of technology to meet mission objectives (i.e., shadow IT)

Ex4: Periodically identify redundant systems, hardware, software, and services that unnecessarily increase the organization's attack surface

Ex5: Properly configure and secure systems, hardware, software, and services prior to their deployment in production

Ex6: Update inventories when systems, hardware, software, and services are moved or transferred within the organization

Ex7: Securely destroy stored data based on the organization's data retention policy using the prescribed destruction method, and keep and manage a record of the destructions

Ex8: Securely sanitize data storage when hardware is being retired, decommissioned, reassigned, or sent for repairs or replacement

Ex9: Offer methods for destroying paper, storage media, and other physical forms of data storage