NIST CSF 2.0 · All Functions · ID Identify · ID.AM Asset Management

ID.AM-08

Systems, hardware, software, services, and data are managed throughout their life cycles

Implementation examples

Ex1: Integrate cybersecurity considerations throughout the life cycles of systems, hardware, software, and services
Ex2: Integrate cybersecurity considerations into product life cycles
Ex3: Identify unofficial uses of technology to meet mission objectives (i.e., shadow IT)
Ex4: Periodically identify redundant systems, hardware, software, and services that unnecessarily increase the organization's attack surface
Ex5: Properly configure and secure systems, hardware, software, and services prior to their deployment in production
Ex6: Update inventories when systems, hardware, software, and services are moved or transferred within the organization
Ex7: Securely destroy stored data based on the organization's data retention policy using the prescribed destruction method, and keep and manage a record of the destructions
Ex8: Securely sanitize data storage when hardware is being retired, decommissioned, reassigned, or sent for repairs or replacement
Ex9: Offer methods for destroying paper, storage media, and other physical forms of data storage

Mapped NIST 800-53 r5 controls (15)

CM-09 CM-13 MA-02 MA-06 PL-02 PM-22 PM-23 SA-03 SA-04 SA-08 SA-22 SI-12 SI-18 SR-05 SR-12

Mapped CWE weaknesses (3)

Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.

CWE-1059←P →P CWE-1256→P CWE-1357←P →F

All informative references (120)

CCMv4.0: AIS-02
CCMv4.0: AIS-04
CCMv4.0: AIS-05
CCMv4.0: AIS-06
CCMv4.0: AIS-07
CCMv4.0: CCC-04
CCMv4.0: CEK-14
CCMv4.0: CEK-21
CCMv4.0: DCS-01
CCMv4.0: DCS-02
CCMv4.0: DSP-02
CCMv4.0: DSP-07
CCMv4.0: DSP-16
CCMv4.0: DSP-19
CCMv4.0: HRS-05
CCMv4.0: IVS-01
CCMv4.0: LOG-02
CCMv4.0: LOG-06
CCMv4.0: UEM-03
CCMv4.0: UEM-05
CCMv4.0: UEM-09
CCMv4.0: UEM-10
CCMv4.0: UEM-11
CCMv4.0: UEM-13
CIS Controls v8.0: 1.1
CIS Controls v8.0: 3.5
CIS Controls v8.1: 1.1
CIS Controls v8.1: 3.5
CRI Profile v2.0: ID.AM-08
CRI Profile v2.0: ID.AM-08.01
CRI Profile v2.0: ID.AM-08.02
CRI Profile v2.0: ID.AM-08.03
CRI Profile v2.0: ID.AM-08.04
CRI Profile v2.0: ID.AM-08.05
CRI Profile v2.0: ID.AM-08.06
CSF v1.1: PR.DS-3
CSF v1.1: PR.IP-2
CSF v1.1: PR.MA-1
CSF v1.1: PR.MA-2
CSF v1.1: PR.IP-6
CSF v1.1: PR.DS
ISO/IEC 27001:2022: Mandatory Clause: None
ISO/IEC 27001:2022: Annex A Controls: 5.8
ISO/IEC 27001:2022: Annex A Controls: 5.9
ISO/IEC 27001:2022: Annex A Controls: 5.12
ISO/IEC 27001:2022: Annex A Controls: 5.13
ISO/IEC 27001:2022: Annex A Controls: 5.19
ISO/IEC 27001:2022: Annex A Controls: 5.22
ISO/IEC 27001:2022: Annex A Controls: 7.10
ISO/IEC 27001:2022: Annex A Controls: 7.13
ISO/IEC 27001:2022: Annex A Controls: 7.14
NICE Framework: DD-WRL-002
NICE Framework: DD-WRL-003
NICE Framework: DD-WRL-004
NICE Framework: IO-WRL-001
NICE Framework: IO-WRL-002
NICE Framework: IO-WRL-003
NICE Framework: IO-WRL-004
NICE Framework: IO-WRL-005
NICE Framework: OG-WRL-015
OWASP Top 10 LLM Applications: LLM03-2025
PCI DSS: 6.2.2
PCI DSS: 6.2.1
PCI DSS: 6.2.3
PCI DSS: 6.2.3.1
PCI DSS: 6.2.4
PCI DSS: 6.3.1
PCI DSS: 6.3.3
PCI DSS: 12.3.4
PCI DSS: 11.6.1
SCF: AST-01
SCF: DCH-01
SCF: DCH-01.1
SCF: PRM-07
SCF: SEA-07
SCF: SEA-07.1
SDOS: SDOS-GV-01
SDOS: SDOS-IA-02
SP 800-171 Rev 3: 03.14.08
SP 800-171 Rev 3: 03.15.02
SP 800-171 Rev 3: 03.16.01
SP 800-171 Rev 3: 03.16.02
SP 800-171 Rev 3: 03.17.02
SP 800-221A: MA.RI-1
SP 800-53 Rev 5.1.1: CM-09
SP 800-53 Rev 5.1.1: CM-13
SP 800-53 Rev 5.1.1: MA-02
SP 800-53 Rev 5.1.1: MA-06
SP 800-53 Rev 5.1.1: PL-02
SP 800-53 Rev 5.1.1: PM-22
SP 800-53 Rev 5.1.1: PM-23
SP 800-53 Rev 5.1.1: SA-03
SP 800-53 Rev 5.1.1: SA-04
SP 800-53 Rev 5.1.1: SA-08
SP 800-53 Rev 5.1.1: SA-22
SP 800-53 Rev 5.1.1: SI-12
SP 800-53 Rev 5.1.1: SI-18
SP 800-53 Rev 5.1.1: SR-05
SP 800-53 Rev 5.1.1: SR-12
SP 800-53 Rev 5.2.0: CM-09
SP 800-53 Rev 5.2.0: CM-13
SP 800-53 Rev 5.2.0: MA-02
SP 800-53 Rev 5.2.0: MA-06
SP 800-53 Rev 5.2.0: PL-02
SP 800-53 Rev 5.2.0: PM-22
SP 800-53 Rev 5.2.0: PM-23
SP 800-53 Rev 5.2.0: SA-03
SP 800-53 Rev 5.2.0: SA-04
SP 800-53 Rev 5.2.0: SA-08
SP 800-53 Rev 5.2.0: SA-22
SP 800-53 Rev 5.2.0: SI-12
SP 800-53 Rev 5.2.0: SI-18
SP 800-53 Rev 5.2.0: SR-05
SP 800-53 Rev 5.2.0: SR-12
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-10 Asset Identification
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-12 Information Types
SP-800-37 Rev 2: RMF Prepare Step (System Level): TASK P-13 Information Life Cycle
SP-800-37 Rev 2: RMF Monitor Step: TASK M-7 System Disposal
SSDF: PW.4.1
SSDF: PW.4.4

Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).