G.2.5 Asset inventory

Control Details

Objective

Hardware and software assets are inventoried to enable incident response; system analysis; traceability for critical components; and reliable identification when assets need to be changed or decommissioned.

Definition

Maintain a system component inventory, including hardware, software licenses, software versions, direct and transitive component owners, containers, machine names, and network addresses. Maintain an operations software inventory, including a map of source code; open source incorporated during the build and dynamic production; software deployments and related containerization, orchestration, and deployment automation code with respective owners. Unique identifiers for the inventoried assets should be established. Suppliers should also produce an asset inventory, for example through generating SBOMs. Particular attention should be placed when a product or system is retired.

Assessment Questions

1. How is an asset inventory automatically or manually generated and maintained?
2. How do you integrate vulnerability management with asset inventory management, for example through SBOMs or software composition analysis?
3. What process is used for the asset inventory to be updated when a product or system goes to end-of-life?

Reference sources

1. BSIMM CMVM2.3 SM3.1
2. 800-161 CM-8 IA-4 PM-5
3. OWASP-SCVS 1
4. S2C2F INV-1
5. CNCF-SSC M-V Require SBOMs and VEX statements from third-party suppliers M-V Track dependencies between open source components
6. OSPS OSPS-QA-02