Guidance for NIST 800-171 Assessment & Compliance
CM-8(9) INFORMATION SYSTEM COMPONENT INVENTORY | ASSIGNMENT OF COMPONENTS TO SYSTEMS |
Scroll Prev Top Next More |
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
cm-8(9) |
information system component inventory | assignment of components to systems |
||
|
assessment objective: Determine if the organization: |
||
cm-8(9)(a) |
cm-8(9)(a)[1] |
defines acquired information system components to be assigned to an information system; and |
|
cm-8(9)(a)[2] |
assigns organization-defined acquired information system components to an information system; and |
||
cm-8(9)(b) |
receives an acknowledgement from the information system owner of the assignment. |
||
potential assessment methods and objects: Examine: [select from: Configuration management policy; procedures addressing information system component inventory; configuration management plan; security plan; information system design documentation; acknowledgements of information system component assignments; information system inventory records; other relevant documents or records]. Interview: [select from: Organizational personnel with inventory management responsibilities for information system components; information system owner; organizational personnel with information security responsibilities; system/network administrators]. Test: [select from: Organizational processes for assigning components to systems; organizational processes for acknowledging assignment of components to systems; automated mechanisms implementing assignment of acquired components to the information system; automated mechanisms implementing acknowledgment of assignment of acquired components to the information system]. |
|||
