NIST CSF 2.0 · All Functions · ID Identify · ID.AM Asset Management

ID.AM-04

Implementation examples

• Ex1: Inventory all external services used by the organization, including third-party infrastructure-as-a-service (IaaS), platform-as-a-service (PaaS), and software-as-a-service (SaaS) offerings; APIs; and other externally hosted application services
• Ex2: Update the inventory when a new external service is going to be utilized to ensure adequate cybersecurity risk management monitoring of the organization's use of that service

Mapped NIST 800-53 r5 controls (3)

All informative references (36)

• CCMv4.0: CCC-04
• CCMv4.0: DCS-06
• CCMv4.0: STA-07
• CCMv4.0: UEM-02
• CCMv4.0: UEM-04
• CIS Controls v8.0: 15.1
• CIS Controls v8.1: 15.1
• CRI Profile v2.0: ID.AM-04
• CRI Profile v2.0: ID.AM-04.01
• CSF v1.1: ID.AM-4
• ISO/IEC 27001:2022: Mandatory Clause: None
• ISO/IEC 27001:2022: Annex A Controls: 5.22
• NICE Framework: DD-WRL-002
• NICE Framework: IO-WRL-002
• NICE Framework: IO-WRL-003
• NICE Framework: IO-WRL-004
• NICE Framework: IO-WRL-005
• NICE Framework: OG-WRL-011
• NICE Framework: OG-WRL-015
• OWASP Top 10 LLM Applications: LLM03-2025
• PCI DSS: 12.8.1
• PCI DSS: 12.8.5
• PCI DSS: 12.8.3
• PCI DSS: 12.8.4
• SDOS: SDOS-AU-02
• SDOS: SDOS-IA-02
• SDOS: SDOS-IN-03
• SP 800-171 Rev 3: 03.16.03
• SP 800-171 Rev 3: 03.17.01
• SP 800-53 Rev 5.1.1: AC-20
• SP 800-53 Rev 5.1.1: SA-09
• SP 800-53 Rev 5.1.1: SR-02
• SP 800-53 Rev 5.2.0: AC-20
• SP 800-53 Rev 5.2.0: SA-09
• SP 800-53 Rev 5.2.0: SR-02
• SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-10 Asset Identification

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).