Practice CM.L3-3.4.3e Details

From CMMC Toolkit Wiki
Jump to navigation Jump to search

Source of Reference: The official CMMC Level 3 Assessment Guide from the Department of Defense Chief Information Officer (DoD CIO).

For inquiries and reporting errors on this wiki, please contact us. Thank you.

CM.L3-3.4.3E – AUTOMATED INVENTORY

SECURITY REQUIREMENT

Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:

[a] Automated discovery and management tools for the inventory of system components are identified;
[b] An up-to-date, complete, accurate, and readily available inventory of system components exists; and
[c] Automated discovery and management tools are employed to maintain an up-to-date, complete, accurate, and readily available inventory of system components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine

[SELECT FROM: Configuration management policy; configuration management plan; procedures addressing system component inventory; procedures addressing the baseline configuration of the system; configuration management plan; system design documentation; system architecture and configuration documentation; security plan; system configuration settings and associated documentation; configuration change control records; system inventory records; change control records; system maintenance records; system audit records; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel responsible for information security; organizational personnel responsible for configuration management; organizational personnel responsible for managing the automated mechanisms implementing the system component inventory; system developers; system/network administrators].

Test

[SELECT FROM: Automated mechanisms implementing baseline configuration maintenance; automated mechanisms implementing the system component inventory].

DISCUSSION [NIST SP 800-172]

The system component inventory includes system-specific information required for component accountability and to provide support to identify, control, monitor, and verify configuration items in accordance with the authoritative source. The information necessary for effective accountability of system components includes the system name, hardware and software component owners, hardware inventory specifications, software license information, software version numbers, and— for networked components—the machine names and network addresses. Inventory specifications include the manufacturer, supplier information, component type, date of receipt, cost, model, serial number, and physical location. Organizations also use automated mechanisms to implement and maintain authoritative (i.e., up-to-date, complete, accurate, and available) baseline configurations for systems that include hardware and software inventory tools, configuration management tools, and network management tools. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels.

FURTHER DISCUSSION

Organizations use an automated capability to discover components connected to the network and system software installed. The automated capability must also be able to identify attributes associated with those components. For systems that have already been coupled to the environment, they should allow remote access for inspection of the system software configuration and components. Another option is to place an agent on systems that performs internal system checks to identify system software configuration and components. Collection of switch and router data can also be used to identify systems on networks.

Example

Within your organization, you are in charge of implementing an authoritative inventory of system components. You first create a list of the automated technologies you will use and what each technology will be responsible for identifying [a]. This includes gathering information from switches, routers, access points, primary domain controllers, and all connected systems or devices, whether wired or wireless (printers, IoT, IIoT, OT, IT, etc.) [b]. To keep the data up-to-date, you set a very short search frequency for identifying new components. To maximize availability of this data, all information will be placed in a central inventory/configuration management system, and automated reporting is performed every day [c]. A user dashboard is set up that allows you and other administrators to run reports at any time.

Potential Assessment Considerations

  • Can the organization explain the process by which current inventory information is acquired [a]?
  • Is the organization able to produce an inventory of components on the network [b,c]?
  • Has the organization implemented a valid frequency for the component discovery solution [b,c]?
  • Can the organization demonstrate that the inventory is current and accurate [b]?
  • Has the organization developed a defined list of identifiable attributes for each component type, and is that list adequate to support component accountability [a]?
  • Is the organization able to track, monitor, and verify configuration items in accordance with the organization’s authoritative list of components [b,c]?

KEY REFERENCES

  • NIST SP 800-172 3.4.3e
Retrieved from "https://cmmcwiki.org/index.php?title=Practice_CM.L3-3.4.3e_Details&oldid=1202"