Inventory Template Instructions

Overview:
When completed, FedRAMP will accept this inventory workbook as the inventory information required
by the following:
- System Security Plan - Information System Contingency Plan
- Security Assessment Plan - Monthly Continuous Monitoring.
- Security Assessment Report

Where the above documents require an inventory, include or refer to this document.
Note: This document replaces the separate inventory templates or tabs that existed in the above
documents.

Instructions:
1. The CSP should use this inventory template to capture inventory items for the entire
OS/Infrastructure, software, and data bases as part of preparing for the Readiness Assessment and for
the initial authorization of the system (for either a JAB Provisional-Authorization to Operate (P-ATO) or
an Agency ATO.)
2. This inventory format should also be used for Assessment Testing efforts by the 3PAO.
3. Once the service offering is in the Monitoring Phase of its lifecycle, the CSP should use this template
to capture and submit inventory for monthly Continuous Monitoring efforts. Ensure to "save-as" the
inventory to keep month-to-month submissions of the inventory. The CSP may either include the
inventory as a tab within the monthly POA&M worksheet or may just keep the inventory as a separate
worksheet.
4. Optional fields should be left blank indicating no data instead of inserting "n/a,"" N/A," "na" or other
variants.
5. Before submission, please delete the following:
- "INSTRUCTIONS" and "Record of Changes" tabs
- Rows 3-11 in the Inventory tab (which contain guidance and examples)
- Column A of the Inventory tab (which contains comments and row headers)

The above documents are available on the FedRAMP website, at:

https://www.fedramp.gov/resources/templates-3/

Controlled Unclassified Information

DELETE COLUMN All Inventories
A AND ROWS 3-11
BEFORE
SUBMISSION IPv4 or IPv6
UNIQUE ASSET IDENTIFIER
Address

Unique Identifier associated with the
asset. This Identifier should be used
consistently across all documents,
3PAOs artifacts, and any vulnerability
scanning tools. For OS/Infrastructure
and Web Application Software, this is
GUIDANCE
typically an IP address or URL/DNS
name. For a database, it is typically an
IP address, URL, or database name. A
CSP's own naming scheme is also
acceptable as long as it has unique
identifiers.
If available, state the IPv4 or IPv6
address of the inventory item. This can
be left blank if one does not exist, or if
it is a dynamic field. If the IP address is
used as the Unique Asset Identifier,
then this field will duplicate the
contents of the Unique Asset Identifier
column.
If a device has multiple IP addresses,
then include one row in this inventory
for each IP address.

Valid Values Must be unique.

Optional, unless used as Identifier in

Mandatory or Optional? Mandatory for all inventory records. vulnerability scans or security
assessments.

OS/Infrastructure
123.45.78.90 123.45.78.90
Example

OS/Infrastructure
123.45.67.98 123.45.67.98
Example

OS/Infrastructure
123.45.67.95 123.45.67.95
Example

OS/Infrastructure
123.45.67.96 123.45.67.96
Example

Software Example 123.45.78.400 123.45.78.400

Database Example 123.45.78.401 123.45.78.401
 All Inventories

Virtual Public DNS Name or URL NetBIOS Name

If available, state the

If available, state the DNS name or NetBIOS name of the
Is this asset a public facing device?
URL of the inventory item. This can be inventory item. This
Is this asset virtual? That is, is it outside the boundary? If
left blank if one does not exist, or it is a can be left blank if
so, it is an entry point.
dynamic field. one does not exist, or
it is a dynamic field.

Yes or No. Yes or No. Valid DNS name or URL. Valid NetBIOS name.

Optional, unless used

Mandatory for OS/Infrastructure.
Software, and Database.
Optional, unless used as Identifier in as Identifier in
Mandatory for OS/Infrastructure.
vulnerability scans or security vulnerability scans or
Software, and Database.
assessments. security
assessments.

No Yes

Yes Yes

No Yes

No Yes

No No
No No
 OS/Infrastructure Inventory

Baseline
Authenticated
MAC Address Configuration OS Name and Version Location
Scan
Name

If available, state the If available, provide the Physical location of

MAC Address of the Is the asset is planned name of the hardware. Could include
inventory item. This for an authenticated configuration template Operating System Name and Data Center ID, Cage#,
can be left blank if scan? used within the CSP Version running on the asset. Rack# or other
one does not exist, or configuration meaningful location
it is a dynamic field. management. identifiers.

Valid locations for CSP

Valid MAC Address. Yes or No. .
infrastructure.

Optional, unless used Mandatory for

Mandatory for Optional for
as Identifier in OS/Infrastructure. Optional for OS/Infrastructure.
OS/Infrastructure. OS/Infrastructure.
vulnerability scans or Leave blank for Leave blank for Software and
Leave blank for Leave blank for
security Software and Database.
Software and Database. Software and Database.
assessments. Database.

Yes Base Config1 CentOS 5.1

Yes Base Config2 Windows Server 2012

Yes Base Config1 Cisco IOS 12.1

Yes Base Config1 Dell OS10

 Software and Database Inventories

Hardware Software/ Software/ Database

Asset Type In Latest Scan
Make/Model Database Vendor Name & Version

Should the asset

Simple description of
appear in the network
the asset's function Name of Software or
Name of the hardware scans and can it be Name of Software or
(e.g., Router, Storage Database product and
product and model. probed by the scans Database vendor.
Array, DNS Server, version number.
creating the current
etc.)
POA&M?

Do not use vendor or

product names which If open source (e.g.,
should go in Columns N there is no "vendor),
Yes or No.
(for hardware) or enter "Open Source" as
Columns P-Q for the vendor name.
software or database.

Mandatory for Mandatory for Mandatory for Mandatory for Software

Mandatory for Software or
OS/Infrastructure. OS/Infrastructure. OS/Infrastructure. and Database. Leave
Database. Leave blank for
Leave blank for Leave blank for Leave blank for blank for
OS/Infrastructure.
Software and Database. Software and Database. Software and Database. OS/Infrastructure.

Web Server Acme Server No

Web Server Acme Server Yes

Router Acme Router Yes

Switch Acme Switch No

Acme Software Acme CloudApp v1.0

Oracle Oracle v11
are and Database Inventories Any Invent

Patch Level Function Comments

For Software or Database,

the function provided by the
If applicable. Any additional information that could be useful to the reviewer.
Software or Database for the
system.

Mandatory for Software or

Optional if applicable.
Database. Leave blank for Optional for OS/Infrastructure, Software and Database.
Otherwise, leave blank.
OS/Infrastructure.

CRM
Records Management
Any Inventory

System Application
VLAN/
Serial #/Asset Tag# Administrator/ Administrator/
Network ID
Owner Owner

Product serial number or Name of the system Name of the application

Virtual LAN or Network ID.
internal asset tag #. administrator or owner. administrator or owner.

Mandatory for HIGH

Optional for Optional for Optional for
impact systems. Optional
OS/Infrastructure, OS/Infrastructure, OS/Infrastructure,
for Low and Moderate
Software, and Database. Software, and Database. Software, and Database.
impact systems.
 Record of Changes to Template

Date Description Version Author

5/18/2016 Original publication 1.0 FedRAMP PMO

Removed Main Inventory tab, Web Application

Tab and Database Inventory Tab; replaced with a
11/1/2016 single Inventory tab. Simplified layout, added 2.0 FedRAMP PMO
required multi-purpose inventory information,
eliminated little-used fields, merged select fields
and provided additional guidance and examples.

Minor fixes. Removed data validation from

example rows, updated example rows, and
11/7/2016 2.01 FedRAMP PMO
updated Mandatory/Optional guidance for
Column P (Software/ Database Vendor).