CM-08 Information System Component Inventory
Configuration Management
Low Moderate High
Description
The organization develops, documents, and maintains a current inventory of the components of the information system and relevant ownership information.
Supplemental Guidance
The organization determines the appropriate level of granularity for the information system components included in the inventory that are subject to management control (i.e., tracking, and reporting). The inventory of information system components includes any information determined to be necessary by the organization to achieve effective property accountability (e.g., manufacturer, model number, serial number, software license information, system/component owner). The component inventory is consistent with the accreditation boundary of the information system. Related security controls: CM-02, CM-06.
Changes from Rev 4
Adds 'Does not include duplicate accounting of components or components assigned to any other system' Discussion of accountability expanded Incorporates withdrawn control CM-08(5)
MITRE ATT&CK Techniques (101)
ATT&CK v16.1Techniques mitigated by this control, mapped via CTID.
Reconnaissance 1 Initial Access 6 Execution 12 Persistence 26 Privilege Escalation 17 Defense Evasion 37 Credential Access 6 Discovery 2 Lateral Movement 11 Collection 13 Command & Control 1 Exfiltration 4 Impact 4
Show all 101 techniques grouped by tactic
Reconnaissance
Initial Access
Execution
T1053 Scheduled Task/Job T1059 Command and Scripting Interpreter T1072 Software Deployment Tools T1203 Exploitation for Client Execution T1559 Inter-Process Communication T1053.002 At T1053.005 Scheduled Task T1059.001 PowerShell T1059.005 Visual Basic T1059.007 JavaScript T1059.010 AutoHotKey & AutoIT T1559.002 Dynamic Data Exchange
Persistence
T1053 Scheduled Task/Job T1133 External Remote Services T1137 Office Application Startup T1505 Server Software Component T1542 Pre-OS Boot T1574 Hijack Execution Flow T1053.002 At T1053.005 Scheduled Task T1098.004 SSH Authorized Keys T1137.001 Office Template Macros T1505.001 SQL Stored Procedures T1505.002 Transport Agent T1505.004 IIS Components T1542.001 System Firmware T1542.003 Bootkit T1542.004 ROMMONkit T1542.005 TFTP Boot T1546.002 Screensaver T1546.006 LC_LOAD_DYLIB Addition T1546.014 Emond T1547.007 Re-opened Applications T1556.009 Conditional Access Policies T1574.004 Dylib Hijacking T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path
Privilege Escalation
T1053 Scheduled Task/Job T1068 Exploitation for Privilege Escalation T1548 Abuse Elevation Control Mechanism T1574 Hijack Execution Flow T1053.002 At T1053.005 Scheduled Task T1098.004 SSH Authorized Keys T1546.002 Screensaver T1546.006 LC_LOAD_DYLIB Addition T1546.014 Emond T1547.007 Re-opened Applications T1548.004 Elevated Execution with Prompt T1548.006 TCC Manipulation T1574.004 Dylib Hijacking T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path
Defense Evasion
T1127 Trusted Developer Utilities Proxy Execution T1211 Exploitation for Defense Evasion T1218 System Binary Proxy Execution T1221 Template Injection T1542 Pre-OS Boot T1548 Abuse Elevation Control Mechanism T1553 Subvert Trust Controls T1574 Hijack Execution Flow T1601 Modify System Image T1622 Debugger Evasion T1127.001 MSBuild T1127.002 ClickOnce T1218.003 CMSTP T1218.004 InstallUtil T1218.005 Mshta T1218.008 Odbcconf T1218.009 Regsvcs/Regasm T1218.012 Verclsid T1218.013 Mavinject T1218.014 MMC T1218.015 Electron Applications T1542.001 System Firmware T1542.003 Bootkit T1542.004 ROMMONkit T1542.005 TFTP Boot T1548.004 Elevated Execution with Prompt T1548.006 TCC Manipulation T1553.006 Code Signing Policy Modification T1556.009 Conditional Access Policies T1564.006 Run Virtual Instance T1564.007 VBA Stomping T1574.004 Dylib Hijacking T1574.007 Path Interception by PATH Environment Variable T1574.008 Path Interception by Search Order Hijacking T1574.009 Path Interception by Unquoted Path T1601.001 Patch System Image T1601.002 Downgrade System Image
Credential Access
Lateral Movement
T1072 Software Deployment Tools T1091 Replication Through Removable Media T1210 Exploitation of Remote Services T1563 Remote Service Session Hijacking T1021.001 Remote Desktop Protocol T1021.003 Distributed Component Object Model T1021.004 SSH T1021.005 VNC T1021.006 Windows Remote Management T1563.001 SSH Hijacking T1563.002 RDP Hijacking
Collection
T1119 Automated Collection T1213 Data from Information Repositories T1530 Data from Cloud Storage T1557 Adversary-in-the-Middle T1602 Data from Configuration Repository T1213.001 Confluence T1213.002 Sharepoint T1213.005 Messaging Applications T1557.001 LLMNR/NBT-NS Poisoning and SMB Relay T1557.002 ARP Cache Poisoning T1557.003 DHCP Spoofing T1602.001 SNMP (MIB Dump) T1602.002 Network Device Configuration Dump
Command & Control
Exfiltration
Compliance Mappings
ISO 27001:2022
A.5.9A.8.9
ISO 27002:2022
5.375.98.18.9
COBIT 2019
BAI09BAI10
CIS Controls v8
CIS 1CIS 1.1CIS 1.2CIS 1.3CIS 1.5CIS 16.4CIS 2CIS 2.1CIS 2.4CIS 3.2
NIST CSF 2.0
ID.AM-01ID.AM-02ID.AM-07ID.AM-08PR.PS-01PR.PS-03
SOC 2 TSC
CC6.1-POF1
PCI DSS v4.0.1
11.212.5
CSA CCM v4
CEK-21DCS-05DCS-06DCS-08DSP-03STA-07UEM-04UEM-12
CSA AICM v1
CEK-21DCS-05DCS-06DCS-08DSP-03MDS-02STA-07STA-15UEM-04UEM-12
FINOS CCC
CCC-C06
ISO 42001:2023
A.4.2A.4.4
NIS2 Directive
Art. 21(2)(i)
PRA Operational Resilience
SS1/21-5.2SS2/21-13.1
APRA CPS 234
Para 21
ASD Essential Eight
E8-2 ML3E8-6 ML3
ANSSI
Hygiene.5Hygiene.8SecNumCloud.9.1
FINMA Circular 2023/1
IV.A(28)IV.A(29)IV.A(30)IV.B.c(54)IV.B.c(55)
OSFI B-13
B-13.2.1B-13.3.1
EU GDPR
Art.30(1)Art.35(7)(a)
EU DORA
Art.28(4)Art.8(1)Art.8(4)
BIO2
5.375.98.18.9
RBI CSF
Annex1.1ITGRCA.9
FISC Security Guidelines
FISC.O13FISC.O9FISC.T7
LGPD + BCB 4893
BCB.Art.20
MLPS 2.0
8.1.10.18.1.10.68.28.3
DNB Good Practice
DNB.13.1DNB.13.2DNB.19.3DNB.6.1
EU CRA
CRA.II.1CRA.Info.3
SWIFT CSCF
SWIFT.2.7
SAMA CSF
2.1
NCA ECC
2-12-6
UAE IA
T4T7
Qatar NIA
AMOS
CBUAE
CR-7
CBE CSF
CRM-2
SA JS2
JS2-6.1JS2-7.2
CBN CSF
Part3.1
BoG CISD
CISD-V
POPIA
s17
BoM CTRM
2.13.23.7
IOSCO Cyber Resilience
ID-1ID-2ID-4
BCBS 239
Principle 2Principle 4
CPMI-IOSCO PFMI
CG.IDPFMI.P17
FFIEC IS
II.C.11II.C.13(e)II.C.5
NYDFS 500
500.13
HIPAA Security Rule
§164.310(d)(2)(iii)
ECB CROE
CROE.2.2.2
EBA ICT Guidelines
3.3.23.4.43.5(a)3.5(b)
SEBI CSCRF
ID.AM
BOT Cyber Resilience
Ch2.1
CMMC 2.0
CM
NERC CIP
CIP-010-4
10 CFR 73.54
RG5.71-B-CM
IEEE 1686-2022
5.4
DOE C2M2 v2.1
ASSET
AWIA
AWWA Sec 2
PCI PTS v6
K
CBEST
CBEST.3
PCI HSM
2
ISAE 3402
Clause 9
Solvency II
DR.266-DataSecEIOPA-ICT-4.3
Lloyd's Minimum Standards
MS1.1MS8.4MS9.3
NAIC Insurance Data Security
34-asset
PRA SS1/23
P-IT.3P1.1P1.3P5.5
FCA SYSC 13
SYSC 13.7.1SYSC 13.7.2
HITRUST CSF v11
05.c07.a10.e
FDA 21 CFR Part 11
§11.10(h)
FDA Cybersecurity Guidance
524B-1SBOM-1SBOM-2SBOM-3ST-4
ISO 27799
11.28.1H.3
NHS DSPT
NDG-5.3NDG-8.1NDG-8.3NDG-9.7
OWASP MASVS v2.1
MASVS-CODE-3
CCSS v9.0
1.02.31.04.5
MiCA
Art.40(1)Art.63(2)Art.82(1)
Basel SCO60
SCO60.14SCO60.51SCO60.65
BSSC Standards
NOS-03GSP-14
SEC Custody (Digital Assets)
SEC-CD-04SEC-CD-09SEC-CD-18
ISO 17799 (legacy)
7.1.115.1.2
COBIT 4.1 (legacy)
None.