CMMC Requirement CM.L3-3.4.3E – Automated Inventory: Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components.
Links to Publicly Available Resources
This blog post describes IT Asset Management, and why it's important to manage IT assets. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 3. The NIST Cybersecurity Framework includes ID.AM: Asset Management as a Framework category, and this resource describes the related subcategories necessary to meet the requirements of the framework. This resource provides an overview of IT asset discovery and why it's important. This interview describes the importance of continuous visibility into an organization's IT assets leads to reduction in threats to networks. This blog post provides 5 key benefits for protecting industrial assets.
The system component inventory includes system-specific information required for component accountability and to provide support to identify, control, monitor, and verify configuration items in accordance with the authoritative source. The information necessary for effective accountability of system components includes the system name, hardware and software component owners, hardware inventory specifications, software license information, software version numbers, and— for networked components—the machine names and network addresses. Inventory specifications include the manufacturer, supplier information, component type, date of receipt, cost, model, serial number, and physical location. Organizations also use automated mechanisms to implement and maintain authoritative (i.e., up-to-date, complete, accurate, and available) baseline configurations for systems that include hardware and software inventory tools, configuration management tools, and network management tools. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels.
Further Discussion
Organizations use an automated capability to discover components connected to the network and system software installed. The automated capability must also be able to identify attributes associated with those components. For systems that have already been coupled to the environment, they should allow remote access for inspection of the system software configuration and components. Another option is to place an agent on systems that performs internal system checks to identify system software configuration and components. Collection of switch and router data can also be used to identify systems on networks.