CM-8(2)—Information System Component Inventory

PBMM (P2)

Secret (P2)

Operational

>Control Description

INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED MAINTENANCE The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

>Supplemental Guidance

Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable.

This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related control: SI-7.

>Tailoring Guidance

This security control/enhancement is considered to be best practice. Consequently, inclusion in a departmental profile is strongly encouraged in most cases. Control enhancement (2) is key.

Organizations need to maintain an accurate inventory of information system components for both patching and licensing purposes. Automated tools exist to scan the network to identify devices. Note that some network scanning tools used for inventory purposes might trigger alerts on intrusion detection systems.

It may thus be necessary to coordinate intrusion detection and network inventory activities to minimize false positives and negatives.

Ask AI

Configure your API key to use AI features.