CM.L3-3.4.3e Automated Inventory
Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components.
Source: NIST SP 800-172 3.4.3e
Discussion: The system component inventory includes system-specific information required for component accountability and to provide support to identify, control, monitor, and verify configuration items in accordance with the authoritative source. The information necessary for effective accountability of system components includes the system name, hardware and software component owners, hardware inventory specifications, software license information, software version numbers, and—for networked components—the machine names and network addresses. Inventory specifications include the manufacturer, supplier information, component type, date of receipt, cost, model, serial number, and physical location. Organizations also use automated mechanisms to implement and maintain authoritative (i.e., up-to-date, complete, accurate, and available) baseline configurations for systems that include hardware and software inventory tools, configuration management tools, and network management tools. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels.
Assessment Objectives:
Determine if:
- [a] Automated discovery and management tools for the inventory of system components are identified;
- [b] An up-to-date, complete, accurate, and readily available inventory of system components exists; and
- [c] Automated discovery and management tools are employed to maintain an up-to-date, complete, accurate, and readily available inventory of system components.
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing system component inventory; procedures addressing the baseline configuration of the system; configuration management plan; system design documentation; system architecture and configuration documentation; security plan; system configuration settings and associated documentation; configuration change control records; system inventory records; change control records; system maintenance records; system audit records; other relevant documents or records].
Interview: [SELECT FROM: Organizational personnel responsible for information security; organizational personnel responsible for configuration management; organizational personnel responsible for managing the automated mechanisms implementing the system component inventory; system developers; system/network administrators].
Test: [SELECT FROM: Automated mechanisms implementing baseline configuration maintenance; automated mechanisms implementing the system component inventory].
SPRS Score: 1
POA&M Allowed: Yes