CM-8—Information System Component Inventory
>Control Description
>Supplemental Guidance
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses.
Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6.
>Tailoring Guidance
This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases.
Ask AI
Configure your API key to use AI features.