UIS.203.6 Information System Component Inventory Guidelines

In support of UIS.203 Configuration Management Policy

Georgetown University has adopted the configuration management principles established in NIST SP 800-171 “Configuration Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework. 

UIS develops, documents, updates and maintains an inventory of information system components that: 

  • Accurately reflects the current information system 
  • Includes all components within the authorization boundary of the information system 
  • Is at the level of granularity deemed necessary for tracking and reporting 

Systems Component Inventory Requirements

  1. Verify that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.  

  2. Include at least the following details for effective tracking and reporting:  

    • hardware inventory specifications (manufacturer, type, model, serial number)

    • information system / component owner(s) 
    • associated component configuration standard
    • software/firmware version information 
    • the machine name and network address (for a networked component/device)
  3. Include assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory
  4. Review and audit the information system component inventory annually, at a minimum