AST-02.1: Updates During Installations / Removals
Mechanisms exist to update asset inventories as part of component installations, removals and asset upgrades.
Control Question: Does the organization update asset inventories as part of component installations, removals and asset upgrades?
General (22)
| Framework | Mapping Values |
|---|---|
| GovRAMP Low | CM-08(01) |
| GovRAMP Low+ | CM-08(01) |
| GovRAMP Moderate | CM-08(01) |
| GovRAMP High | CM-08(01) |
| IEC 62443-4-2 2019 | CR 7.8 (11.10.1) |
| NIST Privacy Framework 1.0 | ID.IM-P1 |
| NIST 800-53 R4 | CM-8(1) |
| NIST 800-53 R4 (moderate) | CM-8(1) |
| NIST 800-53 R4 (high) | CM-8(1) |
| NIST 800-53 R5 (source) | CM-8(1) |
| NIST 800-53B R5 (moderate) (source) | CM-8(1) |
| NIST 800-53B R5 (high) (source) | CM-8(1) |
| NIST 800-82 R3 MODERATE OT Overlay | CM-8(1) |
| NIST 800-82 R3 HIGH OT Overlay | CM-8(1) |
| NIST 800-161 R1 | CM-8(1) |
| NIST 800-161 R1 Level 3 | CM-8(1) |
| NIST 800-171A (source) | 3.4.1[f] |
| NIST 800-171 R3 (source) | 03.04.10.a 03.04.10.b 03.04.10.c |
| NIST 800-171A R3 (source) | A.03.04.10.c[01] A.03.04.10.c[02] A.03.04.10.c[03] |
| TISAX ISA 6 | 5.3.3 |
| SCF CORE ESP Level 2 Critical Infrastructure | AST-02.1 |
| SCF CORE ESP Level 3 Advanced Threats | AST-02.1 |
US (14)
| Framework | Mapping Values |
|---|---|
| US CMS MARS-E 2.0 | CM-8(1) |
| US FedRAMP R4 | CM-8(1) |
| US FedRAMP R4 (moderate) | CM-8(1) |
| US FedRAMP R4 (high) | CM-8(1) |
| US FedRAMP R5 (source) | CM-8(1) |
| US FedRAMP R5 (moderate) (source) | CM-8(1) |
| US FedRAMP R5 (high) (source) | CM-8(1) |
| US HIPAA Administrative Simplification 2013 (source) | 164.310(d)(2)(iii) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.310(d)(2)(iii) |
| US HIPAA HICP Small Practice | 5.S.A |
| US HIPAA HICP Medium Practice | 5.M.A 9.M.D |
| US HIPAA HICP Large Practice | 5.M.A 9.M.D 2.L.A |
| US IRS 1075 | CM-8(1) |
| US - TX TX-RAMP Level 2 | CM-8(1) |
EMEA (5)
| Framework | Mapping Values |
|---|---|
| EMEA EU DORA | 8.6 |
| EMEA EU NIS2 Annex | 12.4.3 |
| EMEA Germany C5 2020 | AM-01 AM-02 |
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 2-1-2 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-1-1-1 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.04.10.A 03.04.10.B 03.04.10.C |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to update asset inventories as part of component installations, removals and asset upgrades.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to update asset inventories as part of component installations, removals and asset upgrades.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to update asset inventories as part of component installations, removals and asset upgrades.
Level 3 — Well Defined
Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
- An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
- Technology assets and data are categorized according to data classification and business criticality criteria.
- A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
- Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
- The process of purchasing, updating, repairing and disposing of assets is integrated into ITAM processes.
Level 4 — Quantitatively Controlled
Asset Management (AST) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement.
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to update asset inventories as part of component installations, removals and asset upgrades.
Assessment Objectives
- AST-02.1_A01 the system component inventory is updated as part of component installations.
- AST-02.1_A02 the system component inventory is updated as part of component removals.
- AST-02.1_A03 the system component inventory is updated as part of system updates.
Technology Recommendations
Micro/Small
- Configuration Management Database (CMDB)
Small
- Configuration Management Database (CMDB)
Medium
- Configuration Management Database (CMDB)
Large
- Configuration Management Database (CMDB)
Enterprise
- Configuration Management Database (CMDB)