CM-8: Information System Component Inventory
Control Family:
Next Version:
- NIST Special Publication 800-53 Revision 5:
- CM-8: System Component Inventory
Control Statement
The organization:
- Develops and documents an inventory of information system components that:
- Accurately reflects the current information system;
- Includes all components within the authorization boundary of the information system;
- Is at the level of granularity deemed necessary for tracking and reporting; and
- Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
- Reviews and updates the information system component inventory [Assignment: organization-defined frequency].
Supplemental Guidance
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location.
Control Enhancements
CM-8(1): Updates During Installations / Removals
Baseline(s):
- Moderate
- High
The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.
CM-8(2): Automated Maintenance
Baseline(s):
- High
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.
CM-8(3): Automated Unauthorized Component Detection
Baseline(s):
- Moderate
- High
The organization: Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]].
CM-8(4): Accountability Information
Baseline(s):
- High
The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components.
CM-8(5): No Duplicate Accounting Of Components
Baseline(s):
- Moderate
- High
The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.
CM-8(6): Assessed Configurations / Approved Deviations
Baseline(s):
The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.
CM-8(7): Centralized Repository
Baseline(s):
The organization provides a centralized repository for the inventory of information system components.
CM-8(8): Automated Location Tracking
Baseline(s):
The organization employs automated mechanisms to support tracking of information system components by geographic location.
CM-8(9): Assignment Of Components To Systems
Baseline(s):
The organization: Assigns [Assignment: organization-defined acquired information system components] to an information system; and Receives an acknowledgement from the information system owner of this assignment.