home || catalog: SP800-53rev3 / class: Operational / family: (CM) Configuration Management ||
search controls:
search nistpubs:


CM-08 *


  CM-08: Information System Component Inventory  

base control objective:
The organization develops, documents, and maintains an inventory of information system components that:
a. Accurately reflects the current information system;
b. Is consistent with the authorization boundary of the information system;
c. Is at the level of granularity deemed necessary for tracking and reporting;
d. Includes [Assignment: organization-defined information deemed necessary to achieve effective property accountability]; and
e. Is available for review and audit by designated organizational officials.

supplemental objective information:
Information deemed to be necessary by the organization to achieve effective property accountability can include, for example, hardware inventory specifications
(manufacturer, type, model, serial number, physical location), software license information, information system/component owner, and for a networked component/device, the machine name and network address.

enhancements to the base objective:

(1) The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

(2) The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.
Enhancement Supplemental Guidance: Organizations maintain the information system inventory to the extent feasible. Virtual machines, for example, can be difficult to monitor because they are not visible to the network when not in use. In such cases, the intent of this control enhancement is to maintain as up-to-date, complete, and accurate an inventory as is reasonable.

(3) The organization:
(a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the addition of unauthorized components/devices into the information system; and
(b) Disables network access by such components/devices or notifies designated organizational officials.
Enhancement Supplemental Guidance: This control enhancement is applied in addition to the monitoring for unauthorized remote connections in AC-17 and for unauthorized mobile devices in AC-19. The monitoring for unauthorized components/devices on information system networks may be accomplished on an ongoing basis or by the periodic scanning of organizational networks for that purpose. Automated mechanisms can be implemented within the information system and/or in another separate information system or device.

(4) The organization includes in property accountability information for information system components, a means for identifying by [Selection (one or more): name; position; role] individuals responsible for administering those components.

(5) The organization verifies that all components within the physical boundary of the information system are either inventoried as a part of the system or recognized by another system as a component within that system.

(6) The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.
Enhancement Supplemental Guidance: This control enhancement focuses on the configuration settings established by the organization for its information system components, the specific information system components that have been assessed to determine compliance with the required configuration settings, and any approved deviations from established configuration settings in the deployed information system components.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (1) (5)     HIGH: base (1) (2) (3) (4) (5)  

related (regimented) controls:

CM-02   Baseline Configuration
CM-06   Configuration Settings

documents referenced in SP800-53rev3 for CM-08:

Document Date Status Title
NIST SP800-35 October, 2003 current   Guide to Information Technology Security Services
NIST SP800-40 November, 2005 current   Creating a Patch and Vulnerability Management Program

Search SP800-53rev3 catalog: