Beruflich Dokumente
Kultur Dokumente
Overview:
When completed, FedRAMP will accept this inventory workbook as the inventory information required
by the following:
- System Security Plan - Information System Contingency Plan
- Security Assessment Plan - Monthly Continuous Monitoring.
- Security Assessment Report
Where the above documents require an inventory, include or refer to this document.
Note: This document replaces the separate inventory templates or tabs that existed in the above
documents.
Instructions:
1. The CSP should use this inventory template to capture inventory items for the entire
OS/Infrastructure, software, and data bases as part of preparing for the Readiness Assessment and for
the initial authorization of the system (for either a JAB Provisional-Authorization to Operate (P-ATO) or
an Agency ATO.)
2. This inventory format should also be used for Assessment Testing efforts by the 3PAO.
3. Once the service offering is in the Monitoring Phase of its lifecycle, the CSP should use this template
to capture and submit inventory for monthly Continuous Monitoring efforts. Ensure to "save-as" the
inventory to keep month-to-month submissions of the inventory. The CSP may either include the
inventory as a tab within the monthly POA&M worksheet or may just keep the inventory as a separate
worksheet.
4. Optional fields should be left blank indicating no data instead of inserting "n/a,"" N/A," "na" or other
variants.
5. Before submission, please delete the following:
- "INSTRUCTIONS" and "Record of Changes" tabs
- Rows 3-11 in the Inventory tab (which contain guidance and examples)
- Column A of the Inventory tab (which contains comments and row headers)
Unique Identifier associated with the If available, state the IPv4 or IPv6
asset. This Identifier should be used address of the inventory item. This can
consistently across all documents, be left blank if one does not exist, or if
3PAOs artifacts, and any vulnerability it is a dynamic field. If the IP address is
scanning tools. For OS/Infrastructure used as the Unique Asset Identifier,
and Web Application Software, this is then this field will duplicate the
GUIDANCE
typically an IP address or URL/DNS contents of the Unique Asset Identifier
name. For a database, it is typically an column.
IP address, URL, or database name. A
CSP's own naming scheme is also If a device has multiple IP addresses,
acceptable as long as it has unique then include one row in this inventory
identifiers. for each IP address.
OS/Infrastructure
123.45.78.90 123.45.78.90
Example
OS/Infrastructure
123.45.67.98 123.45.67.98
Example
OS/Infrastructure
123.45.67.95 123.45.67.95
Example
OS/Infrastructure
123.45.67.96 123.45.67.96
Example
Yes or No. Yes or No. Valid DNS name or URL. Valid NetBIOS name.
No Yes
Yes Yes
No Yes
No Yes
No No
No No
OS/Infrastructure Inventory
Baseline
Authenticated
MAC Address Configuration OS Name and Version Location
Scan
Name
CRM
Records Management
Any Inventory
System Application
VLAN/
Serial #/Asset Tag# Administrator/ Administrator/
Network ID
Owner Owner