AST-02.9: Configuration Management Database (CMDB)
Mechanisms exist to implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information.
Control Question: Does the organization implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information?
General (21)
| Framework | Mapping Values |
|---|---|
| CIS CSC 8.1 | 2.1 2.4 |
| CIS CSC 8.1 IG2 | 2.4 |
| CIS CSC 8.1 IG3 | 2.4 |
| COBIT 2019 | EDM05.01 EDM05.02 EDM05.03 APO01.06 |
| GovRAMP High | CM-08(02) |
| ISO 27002 2022 | 8.9 |
| MPA Content Security Program 5.1 | TS-5.0 |
| NIST 800-53 R4 | CM-8(2) |
| NIST 800-53 R4 (high) | CM-8(2) |
| NIST 800-53 R5 (source) | CM-8(2) CM-8(7) |
| NIST 800-53B R5 (high) (source) | CM-8(2) |
| NIST 800-53 R5 (NOC) (source) | CM-8(7) |
| NIST 800-82 R3 HIGH OT Overlay | CM-8(2) |
| NIST 800-161 R1 | CM-8(2) CM-8(7) |
| NIST 800-161 R1 Level 3 | CM-8(2) CM-8(7) |
| NIST 800-171 R3 (source) | 03.04.08.a 03.04.10.a 03.04.10.b 03.04.10.c |
| NIST 800-172 | 3.4.1e 3.4.3e |
| NIST 800-207 | NIST Tenet 1 NIST Tenet 6 NIST Tenet 7 |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | AST-02.9 |
| SCF CORE ESP Level 2 Critical Infrastructure | AST-02.9 |
| SCF CORE ESP Level 3 Advanced Threats | AST-02.9 |
US (12)
| Framework | Mapping Values |
|---|---|
| US C2M2 2.1 | ASSET-1.D.MIL2 ASSET-1.H.MIL3 ASSET-2.D.MIL2 ASSET-2.E.MIL2 ASSET-2.F.MIL3 ASSET-2.G.MIL3 |
| US CERT RMM 1.2 | ADM:SG3.SP2 SC:SG7.SP1 |
| US CMMC 2.0 Level 3 (source) | CM.L3-3.4.1E CM.L3-3.4.3E |
| US DoD Zero Trust Execution Roadmap | 2.1.1 |
| US DoD Zero Trust Reference Architecture 2.0 | 2.2.1 |
| US DHS ZTCF | APP-01 SYS-03 |
| US FedRAMP R4 | CM-8(2) |
| US FedRAMP R4 (high) | CM-8(2) |
| US FedRAMP R5 (source) | CM-8(2) |
| US FedRAMP R5 (high) (source) | CM-8(2) |
| US HIPAA Administrative Simplification 2013 (source) | 164.310(d)(2)(iii) |
| US HIPAA Security Rule / NIST SP 800-66 R2 (source) | 164.310(d)(2)(iii) |
EMEA (3)
| Framework | Mapping Values |
|---|---|
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 2-1-2 |
| EMEA Saudi Arabia OTCC-1 2022 | 2-1-1 2-1-1-2 2-1-1-3 |
| EMEA UK DEFSTAN 05-138 | 1301 2423 |
APAC (1)
| Framework | Mapping Values |
|---|---|
| APAC Australia ISM June 2024 | ISM-1493 |
Americas (2)
| Framework | Mapping Values |
|---|---|
| Americas Canada OSFI B-13 | 2.2.3 |
| Americas Canada ITSP-10-171 | 03.04.08.A 03.04.10.A 03.04.10.B 03.04.10.C |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information.
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information.
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information.
Level 3 — Well Defined
Asset Management (AST) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- An IT Asset Management (ITAM) function, or similar function, governs asset management to help ensure compliance with requirements for asset management.
- An ITAM function, or similar function, maintains an inventory of IT assets, covering both physical and virtual assets, as well as centrally managed asset ownership assignments.
- Technology assets and data are categorized according to data classification and business criticality criteria.
- A Cybersecurity Supply Chain Risk Management (C-SCRM) function oversees supply chain risks including the removal and prevention of certain technology services and/ or equipment designated as supply chain threats by a statutory or regulatory body.
- Data/process owners document where sensitive/regulated data is stored, transmitted and processed, generating Data Flow Diagrams (DFDs) and network diagrams to document the flow of data.
- ITAM leverages an established Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets and user assignment.
- An IT infrastructure team, or similar function, ensures that statutory, regulatory and contractual cybersecurity and data protection controls are addressed to ensure secure configurations are designed, built and maintained.
- Configurations conform to industry-recognized standards for hardening (e.g., DISA STIGs, CIS Benchmarks or OEM security guides) for test, development, staging and production environments.
Level 4 — Quantitatively Controlled
Asset Management (AST) efforts are metrics driven and provide sufficient management insight (based on a quantitative understanding of process capabilities) to predict optimal performance, ensure continued operations and identify areas for improvement.
- Metrics reporting includes quantitative analysis of Key Performance Indicators (KPIs).
- Metrics reporting includes quantitative analysis of Key Risk Indicators (KRIs).
- Scope of metrics, KPIs and KRIs covers organization-wide cybersecurity and data protection controls, including functions performed by third-parties.
- Organizational leadership maintains a formal process to objectively review and respond to metrics, KPIs and KRIs (e.g., monthly or quarterly review).
- Based on metrics analysis, process improvement recommendations are submitted for review and are handled in accordance with change control processes.
- Both business and technical stakeholders are involved in reviewing and approving proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to implement and manage a Configuration Management Database (CMDB), or similar technology, to monitor and govern technology asset-specific information.
Assessment Objectives
- AST-02.9_A01 a centralized repository for the system and system component inventory is provided.
- AST-02.9_A02 automated mechanisms used to maintain the currency of the system component inventory are defined.
- AST-02.9_A03 automated mechanisms used to maintain the completeness of the system component inventory are defined.
- AST-02.9_A04 automated mechanisms used to maintain the accuracy of the system component inventory are defined.
- AST-02.9_A05 automated mechanisms used to maintain the availability of the system component inventory are defined.
Technology Recommendations
Micro/Small
- Configuration Management Database (CMDB)
Small
- Configuration Management Database (CMDB)
Medium
- Configuration Management Database (CMDB)
Large
- Configuration Management Database (CMDB)
Enterprise
- Configuration Management Database (CMDB)