The organization:

Develops and documents an inventory of information system components that:

Accurately reflects the current information system;

Includes all components within the authorization boundary of the information system;

Is at the level of granularity deemed necessary for tracking and reporting; and

Includes Assignment: organization-defined information deemed necessary to achieve effective information system component accountability; and

Reviews and updates the information system component inventory Assignment: organization-defined frequency.

CM-8 (1) Updates During Installations / Removals

MODERATE

The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

CM-8 (2) Automated Maintenance

HIGH

Organizations maintain information system inventories to the extent feasible. Virtual machines, for example, can be difficult to monitor because such machines are not visible to the network when not in use. In such cases, organizations maintain as up-to-date, complete, and accurate an inventory as is deemed reasonable. This control enhancement can be satisfied by the implementation of CM-2 (2) for organizations that choose to combine information system component inventory and baseline configuration activities.

The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

CM-8 (3) Automated Unauthorized Component Detection

MODERATE

This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing.

The organization:

CM-8 (3)(a)

Employs automated mechanisms Assignment: organization-defined frequency to detect the presence of unauthorized hardware, software, and firmware components within the information system; and

CM-8 (3)(b)

Takes the following actions when unauthorized components are detected: Selection (one or more): disables network access by such components; isolates the components; notifies Assignment: organization-defined personnel or roles.

CM-8 (4) Accountability Information

HIGH

Identifying individuals who are both responsible and accountable for administering information system components helps to ensure that the assigned components are properly administered and organizations can contact those individuals if some action is required (e.g., component is determined to be the source of a breach/compromise, component needs to be recalled/replaced, or component needs to be relocated).

The organization includes in the information system component inventory information, a means for identifying by Selection (one or more): name; position; role, individuals responsible/accountable for administering those components.

CM-8 (5) No Duplicate Accounting Of Components

MODERATE

This control enhancement addresses the potential problem of duplicate accounting of information system components in large or complex interconnected systems.

The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

CM-8 (6) Assessed Configurations / Approved Deviations

This control enhancement focuses on configuration settings established by organizations for information system components, the specific components that have been assessed to determine compliance with the required configuration settings, and any approved deviations from established configuration settings.

The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.

CM-8 (7) Centralized Repository

Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. Centralized repositories of information system component inventories provide opportunities for efficiencies in accounting for organizational hardware, software, and firmware assets. Such repositories may also help organizations rapidly identify the location and responsible individuals of system components that have been compromised, breached, or are otherwise in need of mitigation actions. Organizations ensure that the resulting centralized inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner).

The organization provides a centralized repository for the inventory of information system components.

CM-8 (8) Automated Location Tracking

The use of automated mechanisms to track the location of information system components can increase the accuracy of component inventories. Such capability may also help organizations rapidly identify the location and responsible individuals of system components that have been compromised, breached, or are otherwise in need of mitigation actions.

The organization employs automated mechanisms to support tracking of information system components by geographic location.

CM-8 (9) Assignment Of Components To Systems

Organizations determine the criteria for or types of information system components (e.g., microprocessors, motherboards, software, programmable logic controllers, and network devices) that are subject to this control enhancement.

The organization:

CM-8 (9)(a)

Assigns Assignment: organization-defined acquired information system components to an information system; and

CM-8 (9)(b)

Receives an acknowledgement from the information system owner of this assignment.