CM-8—System Component Inventory

LI-SaaS

Low

Moderate

High

>Control Description

Develop and document an inventory of system components that:

Accurately reflects the system;

Includes all components within the system;

Does not include duplicate accounting of components or components assigned to any other system;

Is at the level of granularity deemed necessary for tracking and reporting; and

Includes the following information to achieve system component accountability: ⚙organization-defined information deemed necessary to achieve effective system component accountability; and

Review and update the system component inventory ⚙organization-defined frequency.

>FedRAMP Baseline Requirements

Parameter Values

at least monthly

Additional Requirements and Guidance

CM-8 Requirement: must be provided at least monthly or when there is a change.

>Discussion

System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability.

The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location. Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems.

Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components.

Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8 (7) can help to eliminate duplicate accounting of components.

>Cross-Framework Mappings

SCF

AST-02

Compare

>Programmatic Queries

Beta

Related Services

AWS Config

Systems Manager Inventory

Resource Groups

CLI Commands

List discovered resources

aws configservice list-discovered-resources --resource-type AWS::EC2::Instance

Get SSM managed instances

aws ssm describe-instance-information

List all resources by type

aws resourcegroupstaggingapi get-resources --resource-type-filters ec2:instance

Export resource inventory

aws configservice select-resource-config --expression 'SELECT resourceId, resourceType, configuration WHERE resourceType = \'AWS::EC2::Instance\''

Open AWS Console Documentation

>Relevant Technologies

Technology-specific guidance with authoritative sources and verification commands.

Qualys VMDR Tenable Vulnerability Management

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What formal policies and procedures govern the implementation of CM-8 (System Component Inventory)?
•Who are the designated roles responsible for implementing, maintaining, and monitoring CM-8?
•How frequently is the CM-8 policy reviewed and updated, and what triggers policy changes?
•What training or awareness programs ensure personnel understand their responsibilities related to CM-8?

Technical Implementation:

•Describe the specific technical mechanisms or controls used to enforce CM-8 requirements.
•What automated tools, systems, or technologies are deployed to implement CM-8?
•How is CM-8 integrated into your system architecture and overall security posture?
•What configuration settings, parameters, or technical specifications enforce CM-8 requirements?

Evidence & Documentation:

•What documentation demonstrates the complete implementation of CM-8?
•What audit logs, records, reports, or monitoring data validate CM-8 compliance?
•Can you provide evidence of periodic reviews, assessments, or testing of CM-8 effectiveness?
•What artifacts would you present during a FedRAMP assessment to demonstrate CM-8 compliance?

Ask AI

Configure your API key to use AI features.