Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

cm-8

information system component inventory    

assessment objective:

Determine if the organization:

cm-8(a)

cm-8(a)(1)

develops and documents an inventory of information system components that accurately reflects the current information system;

cm-8(a)(2)

develops and documents an inventory of information system components that includes all components within the authorization boundary of the information system;

cm-8(a)(3)

develops and documents an inventory of information system components that is at the level of granularity deemed necessary for tracking and reporting;

cm-8(a)(4)

cm-8(a)(4)[1]

defines the information deemed necessary to achieve effective information system component accountability;

cm-8(a)(4)[2]

develops and documents an inventory of information system components that includes organization-defined information deemed necessary to achieve effective information system component accountability;

cm-8(b)

cm-8(b)[1]

defines the frequency to review and update the information system component inventory; and

cm-8(b)[2]

reviews and updates the information system component inventory with the organization-defined frequency.

potential assessment methods and objects:

Examine: [select from: Configuration management policy; procedures addressing information system component inventory; configuration management plan; security plan; information system inventory records; inventory reviews and update records; other relevant documents or records].

Interview: [select from: Organizational personnel with responsibilities for information system component inventory; organizational personnel with information security responsibilities; system/network administrators].

Test: [select from: Organizational processes for developing and documenting an inventory of information system components; automated mechanisms supporting and/or implementing the information system component inventory].