Cyber Resilience

NIST 800-53 r5 · Controls catalogue · Family CM

CM-8System Component Inventory

Develop and document an inventory of system components that: Accurately reflects the system; Includes all components within the system; Does not include duplicate accounting of components or components assigned to any other system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}.

Last updated: 04 July 2026 00:28 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 4 mapping(s) from 2 framework(s): CSF 2.0 3 (mostly) · ASVS 5.0 1 (partial)

See the full cumulative-coverage rollup →

Implementations targeting this control (2)

ATT&CK techniques this control mitigates (101)

Weaknesses this control addresses (5)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE Name CVEs Why this control addresses it
CWE-829Inclusion of Functionality from Untrusted Control Sphere298The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews.
CWE-506Embedded Malicious Code85Regular inventory reviews and updates make it harder to conceal or exploit embedded malicious code by requiring all components to be documented and accounted for.
CWE-912Hidden Functionality79Documenting every system component at the required granularity and reviewing the inventory detects or prevents hidden functionality from remaining undetected.
CWE-1104Use of Unmaintained Third Party Components21Maintaining an accurate, reviewed inventory of all system components enables tracking of third-party software versions and maintenance status, reducing the risk of using unmaintained components.
CWE-1242Inclusion of Undocumented Features or Chicken Bits14Requiring an inventory that accurately reflects the system forces documentation of all components, making inclusion of undocumented features or chicken bits harder to achieve without detection.

Top CVEs where this control is the strongest mitigation

CVE Risk CVSS EPSS Match
CVE-2025-156387.010.00.0057partial
CVE-2025-121047.09.80.0037partial
CVE-2026-41242 UPD7.09.80.0075partial
CVE-2026-41767.09.80.0068partial
CVE-2026-33817.09.80.0055partial
CVE-2026-25887.09.10.0035partial
CVE-2025-154447.09.80.0023partial
CVE-2026-33943 UPD5.58.80.0079partial
CVE-2026-7111 UPD5.58.40.0016partial
CVE-2025-17175.58.10.0054partial
CVE-2026-330555.58.10.0040partial
CVE-2026-315065.57.80.0013partial
CVE-2026-34226 UPD5.57.50.0046partial
CVE-2026-420355.57.40.0039partial
CVE-2026-236545.58.80.0093partial
CVE-2025-47917 UPD5.58.90.0199minimal
CVE-2026-09435.57.50.0042partial
CVE-2026-309105.57.50.0029partial
CVE-2026-257983.55.30.0043partial

Other controls in family CM

CM-1 CM-10 CM-11 CM-12 CM-13 CM-14 CM-2 CM-3 CM-4 CM-5 CM-6 CM-7 CM-9