NIST 800-53 r5 · Controls catalogue · Family CM
CM-8System Component Inventory
Develop and document an inventory of system components that: Accurately reflects the system; Includes all components within the system; Does not include duplicate accounting of components or components assigned to any other system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}.
Last updated: 19 May 2026 14:18 UTC
Implementations targeting this control (2)
- aws-config-ec2-instance-managed-by-systems-manager Ec2 Instance Managed By Systems Manager AWS::EC2::Instance partial protect enforce
- aws-config-ec2-managedinstance-association-compliance-status-check Ec2 Managedinstance Association Compliance Status Check AWS::EC2::Instance partial protect enforce
ATT&CK techniques this control mitigates (101)
- T1011.001 Exfiltration Over Bluetooth Exfiltration
- T1020.001 Traffic Duplication Exfiltration
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.004 SSH Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1046 Network Service Discovery Discovery
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
- T1053.002 At Execution, Persistence, Privilege Escalation
- T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
- T1059 Command and Scripting Interpreter Execution
- T1059.001 PowerShell Execution
- T1059.005 Visual Basic Execution
- T1059.007 JavaScript Execution
- T1059.010 AutoHotKey & AutoIT Execution
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1091 Replication Through Removable Media Lateral Movement, Initial Access
- T1092 Communication Through Removable Media Command And Control
- T1098.004 SSH Authorized Keys Persistence, Privilege Escalation
- T1119 Automated Collection Collection
- T1127 Trusted Developer Utilities Proxy Execution Stealth, Execution
- T1127.001 MSBuild Stealth, Execution
- T1127.002 ClickOnce Stealth, Execution
- T1133 External Remote Services Persistence, Initial Access
- T1137 Office Application Startup Persistence
- T1137.001 Office Template Macros Persistence
- T1189 Drive-by Compromise Initial Access
- T1190 Exploit Public-Facing Application Initial Access
- T1195 Supply Chain Compromise Initial Access
- T1195.003 Compromise Hardware Supply Chain Initial Access
- T1203 Exploitation for Client Execution Execution
- T1210 Exploitation of Remote Services Lateral Movement
- T1211 Exploitation for Stealth Stealth
- T1212 Exploitation for Credential Access Credential Access
- T1213 Data from Information Repositories Collection
- T1213.001 Confluence Collection
- T1213.002 Sharepoint Collection
- T1213.005 Messaging Applications Collection
- T1218 System Binary Proxy Execution Stealth
- T1218.003 CMSTP Stealth
- T1218.004 InstallUtil Stealth
- T1218.005 Mshta Stealth
- T1218.008 Odbcconf Stealth
- T1218.009 Regsvcs/Regasm Stealth
- T1218.012 Verclsid Stealth
- T1218.013 Mavinject Stealth
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | 259 | The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews. |
CWE-506 | Embedded Malicious Code | 83 | Regular inventory reviews and updates make it harder to conceal or exploit embedded malicious code by requiring all components to be documented and accounted for. |
CWE-912 | Hidden Functionality | 79 | Documenting every system component at the required granularity and reviewing the inventory detects or prevents hidden functionality from remaining undetected. |
CWE-1104 | Use of Unmaintained Third Party Components | 20 | Maintaining an accurate, reviewed inventory of all system components enables tracking of third-party software versions and maintenance status, reducing the risk of using unmaintained components. |
CWE-1242 | Inclusion of Undocumented Features or Chicken Bits | 14 | Requiring an inventory that accurately reflects the system forces documentation of all components, making inclusion of undocumented features or chicken bits harder to achieve without detection. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-15638 | 2.0 | 10.0 | 0.0002 | partial |
CVE-2025-12104 | 2.0 | 9.8 | 0.0035 | partial |
CVE-2026-41242 | 2.0 | 9.8 | 0.0006 | partial |
CVE-2026-4176 UPD | 2.0 | 9.8 | 0.0003 | partial |
CVE-2026-3381 | 2.0 | 9.8 | 0.0004 | partial |
CVE-2025-15444 | 2.0 | 9.8 | 0.0003 | partial |
CVE-2026-33943 | 1.8 | 8.8 | 0.0007 | partial |
CVE-2026-2588 | 1.8 | 9.1 | 0.0006 | partial |
CVE-2026-23654 | 1.8 | 8.8 | 0.0006 | partial |
CVE-2026-7111 UPD | 1.7 | 8.4 | 0.0002 | partial |
CVE-2025-1717 | 1.6 | 8.1 | 0.0017 | partial |
CVE-2026-33055 | 1.6 | 8.1 | 0.0002 | partial |
CVE-2026-31506 | 1.6 | 7.8 | 0.0001 | partial |
CVE-2026-34226 | 1.5 | 7.5 | 0.0005 | partial |
CVE-2026-42035 | 1.5 | 7.4 | 0.0011 | partial |
CVE-2026-0943 | 1.5 | 7.5 | 0.0014 | partial |
CVE-2026-40175 UPD | 1.0 | 4.8 | 0.0003 | partial |