Level 5 CMMC - CMMC Practices

AM.4.226  

Reference: CMMC 1.02

Family: AM

Level Introduced: 4

Practice:
Employ a capability to discover and identify systems with specific component attributes (e.g., firmware level, OS type) within your inventory.

CMMC Clarification:
One purpose an organization might have in determining the component attributes is to identify and locate specific systems in the event a vulnerability is discovered in the hardware or software installed so patches can be rapidly deployed to these systems or have the systems isolated from the network. For small organizations or small enclaves, this might be achieved with manual processes. Automation is expected as scale increases in order to achieve results in an operational meaningful timeframe.

Example 1
You are an IT administrator for your organization. You learn from the vendor about a privilege escalation vulnerability in version 9.3.201 of an application when running on macOS 10.14. Since you have this version of the application installed at your organization, you download the patch the vendor has released to correct this vulnerability. You run a report to identify all the macOS 10.14 systems with this version the software application installed. You schedule a job to install the patch the next time each of the systems on the report connects to the network.

Example 2
You are on the cyber hunt team and find out there is a technique in the wild that adversaries are using against an IoT sensor that your organization has deployed. You check your system to identify how many of these sensors are currently connected to the network and their IP Addresses. You provide this information to the cyber operations team for increased monitoring until the vendor releases a patch.

Organizations employ systems that can assess assets connected to the network in real time, or can create an inventory identifying system-specific information required for component accountability and to provide support to identify, control, monitor, and verify configuration items in accordance with the authoritative source. For user computing systems this should include: firmware level, OS type, drive type, network and wireless card vendors, monitor card type and vendor, and software applications installed on that system.

Source: CMMC v1.02

3.4.3e

Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily available inventory of system components.

Discussion:
The system component inventory includes system-specific information required for component accountability and to provide support to identify, control, monitor, and verify configuration items in accordance with the authoritative source. The information necessary for effective accountability of system components includes system name, hardware component owners, hardware inventory specifications, software license information, software component owners, version numbers, and for networked components, the machine names and network addresses. Inventory specifications include manufacturer, supplier information, component type, date of receipt, cost; model, serial number, and physical location. Organizations also use automated mechanisms to implement and maintain authoritative (i.e., up-to-date, complete, accurate, and available) baseline configurations for systems that include hardware and software inventory tools, configuration management tools, and network management tools. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels.

Source: NIST Special Publication 800-172 (Draft)

CM-8

INFORMATION SYSTEM COMPONENT INVENTORY

Description:
The organization:
    a. Develops and documents an inventory of information system components that:
        1. Accurately reflects the current information system;
        2. Includes all components within the authorization boundary of the information system;
        3. Is at the level of granularity deemed necessary for tracking and reporting; and
        4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
    b. Reviews and updates the information system component inventory [Assignment: organization-defined frequency].

Supplemental Guidance:
Organizations may choose to implement centralized information system component inventories that include components from all organizational information systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., information system association, information system owner). Information deemed necessary for effective accountability of information system components includes, for example, hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location. Related controls: CM-2, CM-6, PM-5.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02