BRACKETOLOGY | FEDRAMP

CM-8: INFORMATION SYSTEM COMPONENT INVENTORY

• FedRAMP Baseline Membership CM-8:

• LOW
• MODERATE
• HIGH

The organization:

• a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Includes all components within the authorization boundary of the information system;
3. Is at the level of granularity deemed necessary for tracking and reporting; and
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
• b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency].

SUPPLEMENTAL GUIDANCE

Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location.

CONTROL ENHANCEMENTS

CM-8 (1) INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATIONS / REMOVALS

• FedRAMP Baseline Membership CM-8 (1):

• MODERATE
• HIGH

The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location.

CM-8 (2) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED MAINTENANCE

• FedRAMP Baseline Membership CM-8 (2):

• HIGH

The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

Supplemental Guidance:

Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities.

RELATED CONTROLS: CM-8 (2)

• SI-7 — SYSTEM AND INFORMATION INTEGRITY | SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

CM-8 (3) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION

• FedRAMP Baseline Membership CM-8 (3):

• MODERATE
• HIGH

The organization:

• (a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
• (b) Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]].

Supplemental Guidance:

This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing.

RELATED CONTROLS: CM-8 (3)

• AC-17 — ACCESS CONTROL | REMOTE ACCESS
• AC-18 — ACCESS CONTROL | WIRELESS ACCESS
• AC-19 — ACCESS CONTROL | ACCESS CONTROL FOR MOBILE DEVICES
• CA-7 — SECURITY ASSESSMENT AND AUTHORIZATION | CONTINUOUS MONITORING
• RA-5 — RISK ASSESSMENT | VULNERABILITY SCANNING
• SI-3 — SYSTEM AND INFORMATION INTEGRITY | MALICIOUS CODE PROTECTION
• SI-4 — SYSTEM AND INFORMATION INTEGRITY | INFORMATION SYSTEM MONITORING
• SI-7 — SYSTEM AND INFORMATION INTEGRITY | SOFTWARE, FIRMWARE, AND INFORMATION INTEGRITY

CM-8 (4) INFORMATION SYSTEM COMPONENT INVENTORY | ACCOUNTABILITY INFORMATION

• FedRAMP Baseline Membership CM-8 (4):

• HIGH

The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components.

Supplemental Guidance:

Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g., component is determined to be the source of a breach/compromise, component needs to be recalled/replaced, or component needs to be relocated).

CM-8 (5) INFORMATION SYSTEM COMPONENT INVENTORY | NO DUPLICATE ACCOUNTING OF COMPONENTS

• FedRAMP Baseline Membership CM-8 (5):

• MODERATE
• HIGH

The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

Supplemental Guidance:

This control enhancement addresses the potential problem of duplicate accounting of information system components in large or complex interconnected systems.

CM-8 (6) INFORMATION SYSTEM COMPONENT INVENTORY | ASSESSED CONFIGURATIONS / APPROVED DEVIATIONS

The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.

Supplemental Guidance:

This control enhancement focuses on configuration settings established by organizations for information system components, the specific components that have been assessed to determine compliance with the required configuration settings, and any approved deviations from established configuration settings.

RELATED CONTROLS: CM-8 (6)

• CM-2 — CONFIGURATION MANAGEMENT | BASELINE CONFIGURATION
• CM-6 — CONFIGURATION MANAGEMENT | CONFIGURATION SETTINGS

CM-8 (7) INFORMATION SYSTEM COMPONENT INVENTORY | CENTRALIZED REPOSITORY

The organization provides a centralized repository for the inventory of information system components.

Supplemental Guidance:

Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. Centralized repositories of information system component inventories provide opportunities for efficiencies in accounting for organizational hardware, software, and firmware assets. Such repositories may also help organizations rapidly identify the location and responsible individuals of system components that have been compromised, breached, or are otherwise in need of mitigation actions. Organizations ensure that the resulting centralized inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner).

CM-8 (8) INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED LOCATION TRACKING

The organization employs automated mechanisms to support tracking of information system components by geographic location.

Supplemental Guidance:

The use of automated mechanisms to track the location of information system components can increase the accuracy of component inventories. Such capability may also help organizations rapidly identify the location and responsible individuals of system components that have been compromised, breached, or are otherwise in need of mitigation actions.

CM-8 (9) INFORMATION SYSTEM COMPONENT INVENTORY | ASSIGNMENT OF COMPONENTS TO SYSTEMS

The organization:

• (a) Assigns [Assignment: organization-defined acquired information system components] to an information system; and
• (b) Receives an acknowledgement from the information system owner of this assignment.

Supplemental Guidance:

Organizations determine the criteria for or types of information system components (e.g., microprocessors, motherboards, software, programmable logic controllers, and network devices) that are subject to this control enhancement.

RELATED CONTROLS: CM-8 (9)

• SA-4 — SYSTEM AND SERVICES ACQUISITION | ACQUISITION PROCESS

REFERENCES:

• NIST Special Publication 800-128