Skip to main content

πŸ’Ό ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles

  • Contextual name: πŸ’Ό ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles
  • ID: /frameworks/nist-csf-v2.0/id-am/08
  • Located in: πŸ’Ό Asset Management (ID.AM)

Description​

  1. Integrate cybersecurity considerations throughout the life cycles of systems, hardware, software, and services
  2. Integrate cybersecurity considerations into product life cycles
  3. Identify unofficial uses of technology to meet mission objectives (i.e., shadow IT)
  4. Periodically identify redundant systems, hardware, software, and services that unnecessarily increase the organization's attack surface
  5. Properly configure and secure systems, hardware, software, and services prior to their deployment in production
  6. Update inventories when systems, hardware, software, and services are moved or transferred within the organization
  7. Securely destroy stored data based on the organization's data retention policy using the prescribed destruction method, and keep and manage a record of the destructions
  8. Securely sanitize data storage when hardware is being retired, decommissioned, reassigned, or sent for repairs or replacement
  9. Offer methods for destroying paper, storage media, and other physical forms of data storage

Similar​

  • Sections
    • /frameworks/nist-csf-v1.1/pr-ds/03
    • /frameworks/nist-csf-v1.1/pr-ma/01
    • /frameworks/nist-csf-v1.1/pr-ma/02
    • /frameworks/nist-csf-v1.1/pr-ip/06
    • /frameworks/nist-sp-800-53-r5/cm/09
    • /frameworks/nist-sp-800-53-r5/cm/13
    • /frameworks/nist-sp-800-53-r5/ma/02
    • /frameworks/nist-sp-800-53-r5/ma/06
    • /frameworks/nist-sp-800-53-r5/pl/02
    • /frameworks/nist-sp-800-53-r5/pm/23
    • /frameworks/nist-sp-800-53-r5/pm/22
    • /frameworks/nist-sp-800-53-r5/sa/03
    • /frameworks/nist-sp-800-53-r5/sa/04
    • /frameworks/nist-sp-800-53-r5/sa/08
    • /frameworks/nist-sp-800-53-r5/sa/22
    • /frameworks/nist-sp-800-53-r5/si/12
    • /frameworks/nist-sp-800-53-r5/si/18
    • /frameworks/nist-sp-800-53-r5/sr/05
    • /frameworks/nist-sp-800-53-r5/sr/12

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition7
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-6: Data is destroyed according to policy4
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-9 Configuration Management Plan18
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό CM-13 Data Action Mapping
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό MA-2 Controlled Maintenance2
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό MA-6 Timely Maintenance3
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό PL-2 System Security and Privacy Plans3
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό PM-22 Personally Identifiable Information Quality Management
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό PM-23 Data Governance Body
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-3 System Development Life Cycle34
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-4 Acquisition Process12
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-8 Security and Privacy Engineering Principles337
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SA-22 Unsupported System Components1
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-12 Information Management and Retention32
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-18 Personally Identifiable Information Quality Operations5
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SR-5 Acquisition Strategies, Tools, and Methods2
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SR-12 Component Disposal

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags

Policies (21)​

PolicyLogic CountFlags
πŸ“ AWS Backup Vault contains unencrypted Recovery Points 🟒1🟒 x6
πŸ“ AWS CodeBuild Project Bitbucket Source Location URL contains credentials 🟒1🟒 x6
πŸ“ AWS DynamoDB Table Point In Time Recovery is not enabled 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟒1🟒 x6
πŸ“ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟒1🟒 x6
πŸ“ AWS S3 Bucket MFA Delete is not enabled 🟠🟒1🟠 x1, 🟒 x6
πŸ“ Google API Key is not restricted for unused APIs 🟒1🟒 x6
πŸ“ Google API Key is not rotated every 90 days 🟒1🟒 x6
πŸ“ Google BigQuery Dataset is anonymously or publicly accessible 🟒1🟒 x6
πŸ“ Google Cloud Asset Inventory API is not enabled 🟒1🟒 x6
πŸ“ Google Cloud DNS Managed Zone DNSSEC is not enabled 🟒1🟒 x6
πŸ“ Google Cloud DNS Managed Zone DNSSEC Key-Signing Algorithm is RSASHA1 🟒1🟒 x6
πŸ“ Google Cloud DNS Managed Zone DNSSEC Zone-Signing Algorithm is RSASHA1 🟒1🟒 x6
πŸ“ Google Cloud MySQL Instance allows anyone to connect with administrative privileges 🟒🟒 x3
πŸ“ Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on 🟒1🟒 x6
πŸ“ Google Cloud SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value 🟒1🟒 x6
πŸ“ Google Cloud SQL Server Instance user options Database Flag is configured 🟒1🟒 x6
πŸ“ Google Project has a default network 🟒1🟒 x6
πŸ“ Google Project has a legacy network 🟒1🟒 x6
πŸ“ Google Project has API Keys 🟒1🟠 x1, 🟒 x5
πŸ“ Google Storage Bucket is anonymously or publicly accessible 🟒1🟒 x6