CM-8(2)—Information System Component Inventory
>Control Description
>Supplemental Guidance
Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable.
This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related control: SI-7.
>Tailoring Guidance
This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. Control enhancement (2) is key.
Organizations need to maintain an accurate inventory of information system components for both patching and licensing purposes. Automated tools exist to scan the network to identify devices. Note that some network scanning tools used for inventory purposes might trigger alerts on intrusion detection systems.
It may thus be necessary to coordinate intrusion detection and network inventory activities to minimize false positives and negatives.
Ask AI
Configure your API key to use AI features.