Skip to main content

AST-02.2: Automated Unauthorized Component Detection

AST 3 — Low Detect

Automated mechanisms exist to detect and alert upon the detection of unauthorized hardware, software and firmware components.

Control Question: Does the organization use automated mechanisms to detect and alert upon the detection of unauthorized hardware, software and firmware components?

General (18)
Framework Mapping Values
AICPA TSC 2017:2022 (used for SOC 2) (source) CC7.1-POF4
CIS CSC 8.1 1.2 1.3 1.5 2.3 2.4
CIS CSC 8.1 IG1 1.2 2.2 2.3
CIS CSC 8.1 IG2 1.2 1.3 2.2 2.3 2.4
CIS CSC 8.1 IG3 1.2 1.3 1.5 2.2 2.3 2.4
CSA IoT SCF 2 CCM-06 SNT-04
GovRAMP Moderate CM-08(03)
GovRAMP High CM-08(03)
NIST 800-53 R4 CM-8(3)
NIST 800-53 R4 (moderate) CM-8(3)
NIST 800-53 R4 (high) CM-8(3)
NIST 800-53 R5 (source) CM-8(3)
NIST 800-53B R5 (moderate) (source) CM-8(3)
NIST 800-53B R5 (high) (source) CM-8(3)
NIST 800-82 R3 MODERATE OT Overlay CM-8(3)
NIST 800-82 R3 HIGH OT Overlay CM-8(3)
NIST 800-207 NIST Tenet 5 NIST Tenet 6
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) AST-02.2
US (10)
Framework Mapping Values
US CMS MARS-E 2.0 CM-8(3)
US FedRAMP R4 CM-8(3)
US FedRAMP R4 (moderate) CM-8(3)
US FedRAMP R4 (high) CM-8(3)
US FedRAMP R5 (source) CM-8(3)
US FedRAMP R5 (moderate) (source) CM-8(3)
US FedRAMP R5 (high) (source) CM-8(3)
US HIPAA HICP Large Practice 5.L.A 5.L.B
US IRS 1075 CM-8(3)
US - TX TX-RAMP Level 2 CM-8(3)
EMEA (3)
Framework Mapping Values
EMEA Germany C5 2020 AM-02
EMEA Saudi Arabia OTCC-1 2022 2-3-1-11
EMEA UK DEFSTAN 05-138 3204
APAC (1)
Framework Mapping Values
APAC Australia ISM June 2024 ISM-1807

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to detect and alert up on the detection of unauthorized hardware, software and firmware components.

Level 1 — Performed Informally

C|P-CMM1 is N/A, since a structured process is required to detect and alert up on the detection of unauthorized hardware, software and firmware components.

Level 2 — Planned & Tracked

C|P-CMM2 is N/A, since a well-defined process is required to detect and alert up on the detection of unauthorized hardware, software and firmware components.

Level 3 — Well Defined

Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
  • An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
  • Technology assets and data are categorized according to data classification and business criticality criteria.
  • A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
  • Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
  • The ITAM tool is configured to detect and alert on instances of duplication, unauthorized components and unauthorized software.
  • Unauthorized configuration changes are responded to in accordance with an Incident Response Plan (IRP) to determine if the change is malicious in nature.
Level 4 — Quantitatively Controlled

Asset Management (AST) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement.

  • Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
  • Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
  • Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
  • Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
  • Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
  • Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to detect and alert up on the detection of unauthorized hardware, software and firmware components.

Assessment Objectives

  1. AST-02.2_A01 automated mechanisms used to detect the presence of unauthorized hardware within the system are defined.
  2. AST-02.2_A02 the frequency at which automated mechanisms are used to detect the presence of unauthorized hardware, software and/or firmware within the system is defined.
  3. AST-02.2_A03 automated mechanisms disable network access by unauthorized components, isolate unauthorized components and/or notify organization-defined personnel or roles.
  4. AST-02.2_A04 personnel or roles to be notified when unauthorized components are detected is/are defined.
  5. AST-02.2_A05 organization-defined actions are taken when unauthorized hardware, software and/or firmware is/are detected.

Technology Recommendations

Micro/Small

  • DHCP logging
  • Active discovery tools
  • Configuration Management Database (CMDB)

Small

  • DHCP logging
  • Active discovery tools
  • Configuration Management Database (CMDB)

Medium

  • DHCP logging
  • Active discovery tools
  • Configuration Management Database (CMDB)
  • CimTrak Integrity Suite (https://cimcor.com/cimtrak)
  • Netwrix Auditor (https://netrix.com)
  • Vectra (https://vectra.ai)
  • Tripwire (https://tripwire.com)
  • Puppet (https://puppet.com)
  • Chef (https://chef.io)

Large

  • DHCP logging
  • Active discovery tools
  • Configuration Management Database (CMDB)
  • CimTrak Integrity Suite (https://cimcor.com/cimtrak)
  • Netwrix Auditor (https://netrix.com)
  • Vectra (https://vectra.ai)
  • Tripwire (https://tripwire.com)
  • Puppet (https://puppet.com)
  • Chef (https://chef.io)

Enterprise

  • DHCP logging
  • Active discovery tools
  • Configuration Management Database (CMDB)
  • CimTrak Integrity Suite (https://cimcor.com/cimtrak)
  • Netwrix Auditor (https://netrix.com)
  • Vectra (https://vectra.ai)
  • Tripwire (https://tripwire.com)
  • Puppet (https://puppet.com)
  • Chef (https://chef.io)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free