💼 ID.AM-08: Systems, hardware, software, services, and data are managed throughout their life cycles

• ID: /frameworks/nist-csf-v2.0/id-am/08

Description

1. Integrate cybersecurity considerations throughout the life cycles of systems, hardware, software, and services
2. Integrate cybersecurity considerations into product life cycles
3. Identify unofficial uses of technology to meet mission objectives (i.e., shadow IT)
4. Periodically identify redundant systems, hardware, software, and services that unnecessarily increase the organization's attack surface
5. Properly configure and secure systems, hardware, software, and services prior to their deployment in production
6. Update inventories when systems, hardware, software, and services are moved or transferred within the organization
7. Securely destroy stored data based on the organization's data retention policy using the prescribed destruction method, and keep and manage a record of the destructions
8. Securely sanitize data storage when hardware is being retired, decommissioned, reassigned, or sent for repairs or replacement
9. Offer methods for destroying paper, storage media, and other physical forms of data storage

Similar

• Sections
  • /frameworks/nist-csf-v1.1/pr-ds/03
  • /frameworks/nist-csf-v1.1/pr-ma/01
  • /frameworks/nist-csf-v1.1/pr-ma/02
  • /frameworks/nist-csf-v1.1/pr-ip/06
  • /frameworks/nist-sp-800-53-r5/cm/09
  • /frameworks/nist-sp-800-53-r5/cm/13
  • /frameworks/nist-sp-800-53-r5/ma/02
  • /frameworks/nist-sp-800-53-r5/ma/06
  • /frameworks/nist-sp-800-53-r5/pl/02
  • /frameworks/nist-sp-800-53-r5/pm/23
  • /frameworks/nist-sp-800-53-r5/pm/22
  • /frameworks/nist-sp-800-53-r5/sa/03
  • /frameworks/nist-sp-800-53-r5/sa/04
  • /frameworks/nist-sp-800-53-r5/sa/08
  • /frameworks/nist-sp-800-53-r5/sa/22
  • /frameworks/nist-sp-800-53-r5/si/12
  • /frameworks/nist-sp-800-53-r5/si/18
  • /frameworks/nist-sp-800-53-r5/sr/05
  • /frameworks/nist-sp-800-53-r5/sr/12

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 NIST CSF v1.1 → 💼 PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition			8		no data
💼 NIST CSF v1.1 → 💼 PR.IP-6: Data is destroyed according to policy			5		no data
💼 NIST CSF v1.1 → 💼 PR.MA-1: Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools					no data
💼 NIST CSF v1.1 → 💼 PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access		1	1		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-9 Configuration Management Plan	1		8		no data
💼 NIST SP 800-53 Revision 5 → 💼 CM-13 Data Action Mapping					no data
💼 NIST SP 800-53 Revision 5 → 💼 MA-2 Controlled Maintenance	2				no data
💼 NIST SP 800-53 Revision 5 → 💼 MA-6 Timely Maintenance	3				no data
💼 NIST SP 800-53 Revision 5 → 💼 PL-2 System Security and Privacy Plans	3				no data
💼 NIST SP 800-53 Revision 5 → 💼 PM-22 Personally Identifiable Information Quality Management					no data
💼 NIST SP 800-53 Revision 5 → 💼 PM-23 Data Governance Body					no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-3 System Development Life Cycle	3		4		no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-4 Acquisition Process	12				no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-8 Security and Privacy Engineering Principles	33		8		no data
💼 NIST SP 800-53 Revision 5 → 💼 SA-22 Unsupported System Components	1				no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-12 Information Management and Retention	3		5		no data
💼 NIST SP 800-53 Revision 5 → 💼 SI-18 Personally Identifiable Information Quality Operations	5				no data
💼 NIST SP 800-53 Revision 5 → 💼 SR-5 Acquisition Strategies, Tools, and Methods	2				no data
💼 NIST SP 800-53 Revision 5 → 💼 SR-12 Component Disposal					no data

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance

Policies (25)

Policy	Logic Count	Flags	Compliance
🛡️ AWS Backup Vault contains unencrypted Recovery Points🟢	1	🟢 x6	no data
🛡️ AWS CodeBuild Project Bitbucket Source Location URL contains credentials🟢	1	🟢 x6	no data
🛡️ AWS DynamoDB Table Point In Time Recovery is not enabled🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports🟢	1	🟢 x6	no data
🛡️ AWS ElastiCache Redis Cluster automatic backups are not enabled🟢	1	🟢 x6	no data
🛡️ AWS RDS Instance automated backups are not enabled🟢	1	🟢 x6	no data
🛡️ AWS S3 Bucket MFA Delete is not enabled🟠🟢	1	🟠 x1, 🟢 x6	no data
🛡️ AWS S3 Bucket Versioning is not enabled🟢	1	🟢 x6	no data
🛡️ Google API Key is not restricted for unused APIs🟢	1	🟢 x6	no data
🛡️ Google API Key is not rotated every 90 days🟢	1	🟢 x6	no data
🛡️ Google BigQuery Dataset is anonymously or publicly accessible🟢	1	🟢 x6	no data
🛡️ Google Cloud Asset Inventory API is not enabled🟢	1	🟢 x6	no data
🛡️ Google Cloud DNS Managed Zone DNSSEC is not enabled🟢	1	🟢 x6	no data
🛡️ Google Cloud DNS Managed Zone DNSSEC Key-Signing Algorithm is RSASHA1🟢	1	🟢 x6	no data
🛡️ Google Cloud DNS Managed Zone DNSSEC Zone-Signing Algorithm is RSASHA1🟢	1	🟢 x6	no data
🛡️ Google Cloud MySQL Instance allows anyone to connect with administrative privileges🟢⚪		🟢 x2, ⚪ x1	no data
🛡️ Google Cloud SQL Instance SSL Connections are not enforced🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Server Instance user options Database Flag is configured🟢	1	🟢 x6	no data
🛡️ Google Project has a default network🟢	1	🟢 x6	no data
🛡️ Google Project has a legacy network🟢	1	🟢 x6	no data
🛡️ Google Project has API Keys🟢	1	🟠 x1, 🟢 x5	no data
🛡️ Google Storage Bucket is anonymously or publicly accessible🟢	1	🟢 x6	no data