AST-02.3: Component Duplication Avoidance
Mechanisms exist to establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories.
Control Question: Does the organization establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories?
General (29)
| Framework | Mapping Values |
|---|---|
| CIS CSC 8.1 | 1.3 |
| CIS CSC 8.1 IG2 | 1.3 |
| CIS CSC 8.1 IG3 | 1.3 |
| GovRAMP Core | CM-08 |
| GovRAMP Low | CM-08 |
| GovRAMP Low+ | CM-08 |
| GovRAMP Moderate | CM-08 |
| GovRAMP High | CM-08 |
| MITRE ATT&CK 10 | T1011.001, T1020.001, T1021.001, T1021.003, T1021.004, T1021.005, T1021.006, T1046, T1052, T1052.001, T1053, T1053.002, T1053.005, T1059, T1059.001, T1059.005, T1059.007, T1068, T1072, T1091, T1092, T1098.004, T1119, T1127, T1127.001, T1133, T1137, T1137.001, T1189, T1190, T1195.003, T1203, T1210, T1211, T1212, T1213, T1213.001, T1213.002, T1218, T1218.003, T1218.004, T1218.005, T1218.008, T1218.009, T1218.012, T1218.013, T1218.014, T1221, T1495, T1505, T1505.001, T1505.002, T1505.004, T1530, T1542, T1542.001, T1542.003, T1542.004, T1542.005, T1546.002, T1546.006, T1546.014, T1547.007, T1548, T1548.004, T1553, T1553.006, T1557, T1557.001, T1557.002, T1559, T1559.002, T1563, T1563.001, T1563.002, T1564.006, T1564.007, T1565, T1565.001, T1565.002, T1574, T1574.004, T1574.007, T1574.008, T1574.009, T1601, T1601.001, T1601.002, T1602, T1602.001, T1602.002 |
| NIST 800-53 R4 | CM-8(5) |
| NIST 800-53 R4 (moderate) | CM-8(5) |
| NIST 800-53 R4 (high) | CM-8(5) |
| NIST 800-53 R5 (source) | CM-8 |
| NIST 800-53B R5 (low) (source) | CM-8 |
| NIST 800-53B R5 (moderate) (source) | CM-8 |
| NIST 800-53B R5 (high) (source) | CM-8 |
| NIST 800-82 R3 LOW OT Overlay | CM-8 |
| NIST 800-82 R3 MODERATE OT Overlay | CM-8 |
| NIST 800-82 R3 HIGH OT Overlay | CM-8 |
| NIST 800-161 R1 | CM-8 |
| NIST 800-161 R1 C-SCRM Baseline | CM-8 |
| NIST 800-161 R1 Flow Down | CM-8 |
| NIST 800-161 R1 Level 2 | CM-8 |
| NIST 800-161 R1 Level 3 | CM-8 |
| NIST 800-171 R2 (source) | NFO-CM-8(5) |
| NIST 800-207 | NIST Tenet 1 |
| SCF CORE ESP Level 1 Foundational | AST-02.3 |
| SCF CORE ESP Level 2 Critical Infrastructure | AST-02.3 |
| SCF CORE ESP Level 3 Advanced Threats | AST-02.3 |
US (8)
| Framework | Mapping Values |
|---|---|
| US CMS MARS-E 2.0 | CM-8(5) |
| US FedRAMP R4 | CM-8(5) |
| US FedRAMP R4 (moderate) | CM-8(5) |
| US FedRAMP R4 (high) | CM-8(5) |
| US HIPAA HICP Large Practice | 5.L.A |
| US IRS 1075 | CM-8 |
| US - TX DIR Control Standards 2.0 | CM-8 |
| US - TX TX-RAMP Level 2 | CM-8(5) |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories.
Level 3 — Well Defined
Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
- An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
- Technology assets and data are categorized according to data classification and business criticality criteria.
- A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
- Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
Level 4 — Quantitatively Controlled
Asset Management (AST) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement.
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components that prevents assets from being duplicated in other asset inventories.
Assessment Objectives
- AST-02.3_A01 an inventory of system components that accurately reflects the system is developed and documented.
- AST-02.3_A02 an inventory of system components that includes all components within the system is developed and documented.
- AST-02.3_A03 an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented.
- AST-02.3_A04 an inventory of system components that includes information is developed and documented.
- AST-02.3_A05 the system component inventory is reviewed / updated frequently.
Technology Recommendations
Micro/Small
- Configuration Management Database (CMDB)
Small
- Configuration Management Database (CMDB)
Medium
- Configuration Management Database (CMDB)
Large
- Configuration Management Database (CMDB)
Enterprise
- Configuration Management Database (CMDB)