`
`NIST SPECIAL PUBLICATION 1800-5
`
`
`
`IT Asset Management
`
`
`
`
`Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B);
`and How-To Guides (C)
`
`
`
`
`
`
`Michael Stone
`Chinedum Irrechukwu
`Harry Perper
`Devin Wynne
`Leah Kauffman, Editor-in-Chief
`
`
`
`
`
`
`This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-5
`
`
`The first draft of this publication is available free of charge from:
`https://www.nccoe.nist.gov/sites/default/files/library/sp1800/fs-itam-nist-sp1800-5-draft.pdf
`
`
`
`
`
`
`
`
`
`
`
`
`
`WIZ, Inc. EXHIBIT - 1031
`WIZ, Inc. v. Orca Security LTD.
`
`

`

`NIST SPECIAL PUBLICATION 1800-5
`
`IT Asset Management
`
`Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B);
`and How-To Guides (C)
`
`
`
`
`Michael Stone
`National Cybersecurity Center of Excellence
`Information Technology Laboratory
`
`Chinedum Irrechukwu
`Harry Perper
`Devin Wynne
`The MITRE Corporation
`McLean, VA
`
`Leah Kauffman, Editor-in-Chief
`National Cybersecurity Center of Excellence
`Information Technology Laboratory
`
`
`
`
`
`September 2018
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`U.S. Department of Commerce
`Wilbur Ross, Secretary
`
`National Institute of Standards and Technology
`Walter G. Copan, Undersecretary of Commerce for Standards and Technology and Director
`
`
`
`
`
`
`
`

`

`
`
`NIST SPECIAL PUBLICATION 1800-5A
`
`IT Asset Management
`
`
`
`Volume A:
`Executive Summary
`
`
`Michael Stone
`Leah Kauffman, Editor-in-Chief
`National Cybersecurity Center of Excellence
`Information Technology Laboratory
`
`Chinedum Irrechukwu
`Harry Perper
`Devin Wynne
`The MITRE Corporation
`McLean, VA
`
`
`September 2018
`
`
`
`
`This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-5
`
`The first draft of this publication is available free of charge from:
`https://www.nccoe.nist.gov/sites/default/files/library/sp1800/fs-itam-nist-sp1800-5-draft.pdf
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`Executive Summary
`
`▪ The National Cybersecurity Center of Excellence (NCCoE), part of the National Institute of
`Standards and Technology (NIST), developed an example solution that financial services
`companies can use for a more secure and efficient way of monitoring and managing their many
`information technology (IT) hardware and software assets.
`
`▪ The security characteristics in our IT asset management platform are derived from the best
`practices of standards organizations, including the Payment Card Industry Data Security
`Standard (PCI DSS).
`
`▪ The NCCoE’s approach uses open source and commercially available products that can be
`included alongside current products in your existing infrastructure. It provides a centralized,
`comprehensive view of networked hardware and software across an enterprise, reducing
`vulnerabilities and response time to security alerts, and increasing resilience.
`
`▪ The example solution is packaged as a “How To” guide that demonstrates implementation of
`standards-based cybersecurity technologies in the real world. The guide helps organizations gain
`efficiencies in asset management, while saving them research and proof of concept costs.
`
`CHALLENGE
`
`Large financial services organizations employ tens or hundreds of thousands of individuals. At this scale,
`the technology base required to ensure smooth business operations (including computers, mobile
`devices, operating systems, applications, data, and network resources) is massive. To effectively
`manage, use, and secure each of those assets, you need to know their locations and functions. While
`physical assets can be labeled with bar codes and tracked in a database, this approach does not answer
`questions such as “What operating systems are our laptops running?” and “Which devices are
`vulnerable to the latest threat?”
`
`Computer security professionals in the financial services sector told us they are challenged by the vast
`diversity of hardware and software they attempt to track, and by a lack of centralized control: A large
`financial services organization can include subsidiaries, branches, third-party partners, contractors, as
`well as temporary workers and guests. This complexity makes it difficult to assess vulnerabilities or to
`respond quickly to threats, and to accurately assess risk in the first place (by pinpointing the most
`business essential assets).
`
`SOLUTION
`
`The NIST Cybersecurity IT Asset Management Practice Guide is a proof-of-concept solution
`demonstrating commercially available technologies that can be implemented to track the location and
`configuration of networked devices and software across an enterprise. Our example solution spans
`traditional physical asset tracking, IT asset information, physical security, and vulnerability and
`compliance information. Users can now query one system and gain insight into their entire IT asset
`portfolio.
`
`
`NIST SP 1800-5A: IT Asset Management
`This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-5
`
`
`1
`
`

`

`This guide:
`
`▪ maps security characteristics to guidance and best practices from NIST and other standards
`organizations, including the PCI DSS
`
`▪ provides:
`
`• a detailed example solution with capabilities that address security controls
`
`•
`
`instructions for implementers and security engineers, including examples of all the
`necessary components for installation, configuration, and integration
`
`▪
`
`is modular and uses products that are readily available and interoperable with your existing IT
`infrastructure and investments
`
`While the NCCoE used a suite of commercial products to address this challenge, this guide does not
`endorse these particular products, nor does it guarantee compliance with any regulatory initiatives. Your
`organization’s information security experts should identify the products that will best integrate with
`your existing tools and IT system infrastructure. Your organization can adopt this solution or one that
`adheres to these guidelines in whole, or you can use this guide as a starting point for tailoring and
`implementing parts of a solution.
`
`BENEFITS
`
`Our example solution has the following benefits:
`
`▪ enables faster responses to security alerts by revealing the location, configuration, and owner of
`a device
`
`▪
`
`increases cybersecurity resilience: you can focus attention on the most valuable assets
`
`▪ provides detailed system information to auditors
`
`▪ determines how many software licenses are actually used in relation to how many have been
`paid for
`
`▪
`
`▪
`
`reduces help desk response times: staff will know what is installed and the latest pertinent
`errors and alerts
`
`reduces the attack surface of each device by ensuring that software is correctly patched
`
`SHARE YOUR FEEDBACK
`
`You can view or download the guide at https://www.nccoe.nist.gov/projects/use-cases/financial-
`services-sector/it-asset-management. If you adopt this solution for your own organization, please share
`your experience and advice with us. We recognize that technical solutions alone will not fully enable the
`benefits of our solution, so we encourage organizations to share lessons learned and best practices for
`transforming the processes associated with implementing this guide.
`
`To learn more by arranging a demonstration of this example implementation, contact the NCCoE at
`financial_nccoe@nist.gov.
`
`
`
`
`NIST SP 1800-5A: IT Asset Management
`This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-5
`
`
`2
`
`

`

`TECHNOLOGY PARTNERS/COLLABORATORS
`
`Organizations participating in this project submitted their capabilities in response to an open call in the
`Federal Register for all sources of relevant security capabilities from academia and industry (vendors
`and integrators). The following respondents with relevant capabilities or product components (identified
`as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development
`Agreement (CRADA) to collaborate with NIST in a consortium to build this example solution.
`
`Certain commercial entities, equipment, products, or materials may be identified by name or company
`logo or other insignia in order to acknowledge their participation in this collaboration or to describe an
`experimental procedure or concept adequately. Such identification is not intended to imply special
`status or relationship with NIST or recommendation or endorsement by NIST or NCCoE, neither is it
`intended to imply that the entities, equipment, products, or materials are necessarily the best available
`for the purpose.
`
`
`
`The National Cybersecurity Center of Excellence (NCCoE), a part of the
`National Institute of Standards and Technology (NIST), is a collaborative
`hub where industry organizations, government agencies, and academic
`institutions work together to address businesses’ most pressing
`cybersecurity challenges. Through this collaboration, the NCCoE develops
`modular,
`easily
`adaptable
`example
`cybersecurity
`solutions
`demonstrating how to apply standards and best practices using
`commercially available technology.
`
`
`
`
`LEARN MORE
`Visit https://www.nccoe.nist.gov
`nccoe@nist.gov
`301-975-0200
`
`
`
`
`
`3
`
`
`NIST SP 1800-5A: IT Asset Management
`This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-5
`
`

`

`
`
`NIST SPECIAL PUBLICATION 1800-5B
`
`IT Asset Management
`
`
`
`Volume B:
`Approach, Architecture, and Security Characteristics
`
`
`Michael Stone
`Leah Kauffman, Editor-in-Chief
`National Cybersecurity Center of Excellence
`Information Technology Laboratory
`
`Chinedum Irrechukwu
`Harry Perper
`Devin Wynne
`The MITRE Corporation
`McLean, VA
`
`
`September 2018
`
`
`
`This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-5
`
`The first draft of this publication is available free of charge from:
`https://www.nccoe.nist.gov/sites/default/files/library/sp1800/fs-itam-nist-sp1800-5-draft.pdf
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`

`

`
`
`DISCLAIMER
`
`Certain commercial entities, equipment, products, or materials may be identified in this document in
`order to describe an experimental procedure or concept adequately. Such identification is not intended
`to imply recommendation or endorsement by NIST or NCCoE, nor is it intended to imply that the
`entities, equipment, products, or materials are necessarily the best available for the purpose.
`
`
`
`
`
`
`
`National Institute of Standards and Technology Special Publication 1800-5B, Natl. Inst. Stand. Technol.
`Spec. Publ. 1800-5B, 47 pages, (September 2018), CODEN: NSPUE2
`
`
`
`
`
`
`
`FEEDBACK
`
`As a private-public partnership, we are always seeking feedback on our Practice Guides. We are
`particularly interested in seeing how businesses apply NCCoE reference designs in the real world. If you
`have implemented the reference design, or have questions about applying it in your environment,
`please email us at financial_nccoe@nist.gov.
`
`All comments are subject to release under the Freedom of Information Act (FOIA).
`
`
`
`
`
`
`
`National Cybersecurity Center of Excellence
`National Institute of Standards and Technology
`100 Bureau Drive
`Mailstop 2002
`Gaithersburg, MD 20899
`Email: nccoe@nist.gov
`
`
`
`This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-5.
`
`NIST SP 1800-5B: IT Asset Management
`
`i
`
`

`

`
`
`NATIONAL CYBERSECURITY CENTER OF EXCELLENCE
`
`The National Cybersecurity Center of Excellence (NCCoE), a part of the National Institute of Standards
`and Technology (NIST), is a collaborative hub where industry organizations, government agencies, and
`academic institutions work together to address businesses' most pressing cybersecurity issues. This
`public-private partnership enables the creation of practical cybersecurity solutions for specific
`industries, as well as for broad, cross-sector technology challenges. Through consortia under
`Cooperative Research and Development Agreements (CRADAs), including technology partners—from
`Fortune 50 market leaders to smaller companies specializing in IT security—the NCCoE applies standards
`and best practices to develop modular, easily adaptable example cybersecurity solutions using
`commercially available technology. The NCCoE documents these example solutions in the NIST Special
`Publication 1800 series, which maps capabilities to the NIST Cyber Security Framework and details the
`steps needed for another entity to recreate the example solution. The NCCoE was established in 2012 by
`NIST in partnership with the State of Maryland and Montgomery County, Md.
`
`To learn more about the NCCoE, visit https://www.nccoe.nist.gov. To learn more about NIST, visit
`https://www.nist.gov.
`
`NIST CYBERSECURITY PRACTICE GUIDES
`
`NIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecurity
`challenges in the public and private sectors. They are practical, user-friendly guides that facilitate the
`adoption of standards-based approaches to cybersecurity. They show members of the information
`security community how to implement example solutions that help them align more easily with relevant
`standards and best practices, and provide users with the materials lists, configuration files, and other
`information they need to implement a similar approach.
`
`The documents in this series describe example implementations of cybersecurity practices that
`businesses and other organizations may voluntarily adopt. These documents do not describe regulations
`or mandatory practices, nor do they carry statutory authority.
`
`ABSTRACT
`
`While a physical asset management system can tell you the location of a computer, it cannot answer
`questions like, “What operating systems are our laptops running?” and “Which devices are vulnerable to
`the latest threat?” An effective IT asset management (ITAM) solution can tie together physical and virtual
`assets and provide management with a complete picture of what, where, and how assets are being used.
`ITAM enhances visibility for security analysts, which leads to better asset utilization and security.
`
`KEYWORDS
`
`asset management; financial sector; information technology asset management; ITAM; personnel
`security; physical security; operational security
`
`This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-5.
`
`NIST SP 1800-5B: IT Asset Management
`
`ii
`
`

`

`
`
`ACKNOWLEDGMENTS
`
`We are grateful to the following individuals for their generous contributions of expertise and time.
`
`Name
`
`FS-ISAC
`
`Organization
`
`Financial Services Information Sharing and Analysis Center
`
`Gorrell Cheek
`
`Western Union
`
`Joe Buselmeier
`
`American Express
`
`Sean Franklin
`
`American Express
`
`Ron Ritchey
`
`Sounil Yu
`
`Joel Van Dyk
`
`Dan Schutzer
`
`Bank of America
`
`Bank of America
`
`Depository Trust & Clearing Corporation
`
`Financial Services Roundtable
`
`George Mattingly
`
`Navy Federal Credit Union
`
`Jimmie Owens
`
`Navy Federal Credit Union
`
`Mike Curry
`
`State Street
`
`Timothy Shea
`
`RSA
`
`Mark McGovern
`
`MobileSystem7
`
`Atul Shah
`
`Leah Kauffman
`
`Microsoft
`
`NIST
`
`Benham (Ben) Shariati
`
`University of Maryland Baltimore County
`
`Valerie Herrington
`
`Herrington Technologies
`
`Susan Symington
`
`MITRE Corporation
`
`Sallie Edwards
`
`MITRE Corporation
`
`NIST SP 1800-5B: IT Asset Management
`
`iii
`
`This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-5.
`
`

`

`
`
`Name
`
`Sarah Weeks
`
`Lina Scorza
`
`Organization
`
`MITRE Corporation
`
`MITRE Corporation
`
`Karen Scarfone
`
`Scarfone Cybersecurity
`
`
`The Technology Partners/Collaborators who participated in this build submitted their capabilities in
`response to a notice in the Federal Register. Respondents with relevant capabilities or product
`components were invited to sign a Cooperative Research and Development Agreement (CRADA) with
`NIST, allowing them to participate in a consortium to build this example solution. We worked with:
`
`Technology Partner/Collaborator
`
`Build Involvement
`
`AlphaPoint Technology
`
`AssetCentral
`
`Belarc
`
`BelManage, BelManage Analytics
`
`Computer Associates
`
`ITAM
`
`Microsoft
`
`WSUS, Server 2012R2 Certificate Authority
`
`Peniel Solutions
`
`Technology/Industry Expertise
`
`This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-5.
`
`PI Achievers
`
`PuppetLabs
`
`RedJack
`
`Splunk
`
`Tyco
`
`Penetration Testing Services
`
`Puppet
`
`Fathom
`
`Splunk Enterprise
`
`iStar Edge
`
`Vanguard Integrity Professionals
`
`Security Manager
`
`
`
`NIST SP 1800-5B: IT Asset Management
`
`iv
`
`

`

`
`
`Contents
`
`1 Summary ............................................................................................ 1
`
`1.1 Challenge ....................................................................................................................... 1
`
`1.2 Solution .......................................................................................................................... 2
`
`1.3 Risks ............................................................................................................................... 2
`
`1.4 Benefits .......................................................................................................................... 3
`
`2 How to Use This Guide ........................................................................ 4
`
`2.1 Typographic Conventions .............................................................................................. 6
`
`3
`
`Introduction ........................................................................................ 6
`
`4 Approach ............................................................................................ 7
`
`4.1 Audience ........................................................................................................................ 7
`
`4.2 Scope ............................................................................................................................. 7
`
`4.3 Assumptions .................................................................................................................. 8
`
`4.3.1
`
`Security ......................................................................................................................... 8
`
`4.3.2 Modularity .................................................................................................................... 8
`
`4.3.3
`
`Technical Implementation ............................................................................................ 8
`
`4.3.4
`
`Tracking and Location ................................................................................................... 8
`
`4.3.5 Operating Systems ........................................................................................................ 8
`
`4.4 Constraints .................................................................................................................... 9
`
`4.4.1
`
`Limited Scalability Testing ............................................................................................. 9
`
`4.4.2
`
`Limited Assets ............................................................................................................... 9
`
`4.4.3 Mobile Devices .............................................................................................................. 9
`
`4.4.4 Network Devices ........................................................................................................... 9
`
`4.4.5
`
`Limited Replication of Enterprise Network................................................................. 10
`
`4.5 Risk Assessment and Mitigation .................................................................................. 10
`
`4.5.1 Assessing Risk Posture ................................................................................................ 11
`
`4.5.2
`
`Security Characteristics and Controls Mapping .......................................................... 12
`
`4.6 Technologies ................................................................................................................ 23
`
`This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-5.
`
`NIST SP 1800-5B: IT Asset Management
`
`v
`
`

`

`
`
`5 Architecture ...................................................................................... 27
`
`5.1 Reference Architecture Description ............................................................................ 27
`
`5.2 Reference Architecture Relationship .......................................................................... 32
`
`5.3 Building an Instance of the Reference Architecture ................................................... 33
`
`5.3.1
`
`ITAM Build ................................................................................................................... 33
`
`5.3.2 Access Authorization Information Flow and Control Points ....................................... 37
`
`5.3.3
`
`Tier 1 Systems ............................................................................................................. 39
`
`5.3.4
`
`Tier 2 Systems ............................................................................................................. 39
`
`5.3.5
`
`Tier 3 Systems ............................................................................................................. 42
`
`Appendix A List of Acronyms ................................................................. 45
`
`Appendix B References ......................................................................... 46
`
`
`
`List of Figures
`
`Figure 5-1 Reference Architecture ...................................................................................................... 28
`
`Figure 5-2 ITAM Reference Functionality ............................................................................................ 29
`
`Figure 5-3 Typical Asset Lifecycle [13] ................................................................................................ 30
`
`Figure 5-4 ITAM Build ......................................................................................................................... 34
`
`Figure 5-5 DMZ Network .................................................................................................................... 35
`
`Figure 5-6 Network Security Network ................................................................................................ 35
`
`Figure 5-7 IT Systems Network ........................................................................................................... 36
`
`Figure 5-8 Physical Security Network ................................................................................................. 36
`
`Figure 5-9 Physical Asset Management .............................................................................................. 37
`
`Figure 5-10 ITAM Data Flow ............................................................................................................... 38
`
`
`
`List of Tables
`
`Table 4-1 Security Characteristics and Controls Mapping ................................................................... 13
`
`Table 4-2 Products and Technologies ................................................................................................. 23
`
`
`
`NIST SP 1800-5B: IT Asset Management
`
`vi
`
`This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-5.
`
`

`

`
`
`1 Summary
`Companies in the financial services sector can use this NIST Cybersecurity Practice Guide to more
`securely and efficiently monitor and manage their organization's many information technology (IT)
`assets. IT asset management (ITAM) is foundational to an effective cybersecurity strategy and is
`prominently featured in the SANS Critical Security Controls [1] and NIST Framework for Improving
`Critical Infrastructure Cybersecurity [2].
`
`During the project development, we focused on a modular architecture that would allow organizations
`to adopt some or all of the example capabilities in this practice guide. Depending on factors like size,
`sophistication, risk tolerance, and threat landscape, organizations should make their own
`determinations about the breadth of IT asset management capabilities they need to implement.
`
`This example solution is packaged as a “How-To” guide that demonstrates how to implement standards-
`based cybersecurity technologies in the real world with a risk-based approach. We used open-source
`and commercial off-the-shelf (COTS) products that are currently available today. The guide helps
`organizations gain efficiencies in IT asset management, while saving them research and proof of concept
`costs.
`
`This guide aids those responsible for tracking assets, configuration management, and cybersecurity in a
`financial services sector enterprise. Typically, this group will comprise those who possess procurement,
`implementation, and policy authority.
`
`1.1 Challenge
`
`The security engineers we consulted in the financial services sector told us they are challenged by
`identifying assets across the enterprise and keeping track of their status and configurations, including
`hardware and software. This comprises two large technical issues:
`
`1. tracking a diverse set of hardware and software. Examples of hardware include servers,
`workstations, and network devices. Examples of software include operating systems,
`applications, and files.
`
`2.
`
`lack of total control by the host organization. Financial services sector organizations can include
`subsidiaries, branches, third-party partners, contractors, temporary workers, and guests. It is
`impossible to regulate and mandate a single hardware and software baseline against such a
`diverse group.
`
`This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-5.
`
`NIST SP 1800-5B: IT Asset Management
`
`1
`
`

`

`
`
`1.2 Solution
`
`An effective ITAM solution needs several characteristics, including:
`
`▪
`
`complement existing asset management, security, and network systems
`
`▪ provide application programming interfaces to communicate with other security devices and
`systems such as firewalls and intrusion detection and identity and access management systems
`
`▪ know and control which assets, both virtual and physical, are connected to the enterprise
`network
`
`▪ automatically detect and alert when unauthorized devices attempt to access the network, also
`known as asset discovery
`
`▪ enable administrators to define and control the hardware and software that can be connected
`to the corporate environment
`
`▪ enforce software restriction policies relating to what software is allowed to run in the corporate
`environment
`
`▪
`
`record and track attributes of assets
`
`▪ audit and monitor changes in an asset's state and connection
`
`▪
`
`integrate with log analysis tools to collect and store audited information
`
`The ITAM solution developed and built at the NCCoE, and described in this document, meets all of these
`characteristics.
`
`1.3 Risks
`
`In addition to being effective, the ITAM solution must also be secure and not introduce new
`vulnerabilities into an organization. To reduce this risk, the NCCoE used security controls and best
`practices from NIST [3], the Defense Information Systems Agency (DISA) [4] and International
`Organization for Standardization (ISO) [5], and the Federal Financial Institutions Examination Council
`(FFIEC). How these individual controls are met by individual components of this solution can be seen in
`Table 4-2.
`
`Some of the security controls we implemented include:
`
`▪ access control policy
`
`▪
`
`continuous monitoring and tracking of assets connected to a network
`
`▪ event auditing
`
`▪ anomalous activity detection and reporting
`
`▪
`
`vulnerability scanning
`
`This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-5.
`
`NIST SP 1800-5B: IT Asset Management
`
`2
`
`

`

`
`
`By implementing an ITAM solution based on controls and best practices, implementers can tailor their
`deployment to their organization's security risk assessment, risk tolerance, and budget.
`
`1.4 Benefits
`
`The build described here employs passive and active data collectors/sensors across an enterprise to
`gather asset information and send it to a centralized location. The data collectors/sensors specialize in
`gathering information from different devices, no matter their operating system. Machines used by direct
`employees receive software agents that report on configuration, while temporary employees and
`contractors receive “dissolvable” agents and more passive sensing. Dissolvable agents are automatically
`downloaded to the client, run, and are removed. All of this information is gathered at a central location
`for analysis and reporting. You can choose to view all the activity in an enterprise, or configure the
`system to choose which machines are monitored, how much data is collected, and how long the data is
`retained.
`
`The example solution described in this guide has the following benefits:
`
`▪ enables faster responses to security alerts by revealing the location, configuration, and owner of
`a device
`
`▪
`
`▪
`
`increases cybersecurity resilience: help security analysts focus on the most valuable or critical
`assets
`
`improves and reduces reporting time for management and auditing
`
`▪ provides software license utilization statistics (to identify cost reduction opportunities)
`
`▪
`
`▪
`
`reduces help desk response times: staff already know what is installed and the latest pertinent
`errors and alerts
`
`reduces the attack surface of machines by ensuring that software is correctly patched/updated
`
`Other potential benefits include, but are not limited to rapid, transparent deployment and removal
`using consistent, efficient, and automated processes; improved situational awareness; and an improved
`security posture gained from tracking and auditing access requests and other ITAM activity across all
`networks.
`
`This NIST Cybersecurity Practice Guide:
`
`▪ maps security characteristics to guidance and best practices from NIST and other standards
`organizations as well as the Federal Financial Institutions Examination Council IT Examination
`Handbook and Cyber Assessment Tool (CAT) guidance
`
`▪ provides
`
`• a detailed example solution with capabilities that address security controls
`
`This publication is available free of charge from: http://doi.org/10.6028/NIST.SP.1800-5.
`
`NIST SP 1800-5B: IT Asset Management
`
`3
`
`

`

`
`
`•
`
`instructions for implementers and security engineers, including examples of all the
`necessary components and installation, configuration, and integration
`
`▪
`
`is modular and uses products that are readily available and interoperable with your existing IT
`infrastructure and investments
`
`Your organization can be confident that these results can be replicated: We performed functional
`testing and submitted the entire build to verification testing. An independent second team verified the
`build documentation based on the information in this practice guide.
`
`While we have used a suite of open source and commercial products to address this challenge, this
`guide does not endorse these particular products, nor does it guarantee regulatory compliance. Your
`organization's information security experts should identify the standards-based products that will best
`integrate with your existing tools and IT system infrastructure. Your company can adopt this solution or
`one that adheres to these guidelines in whole, or you can use this guide as a starting point for tailoring
`and implementing parts of a solution.
`
`2 How to Use This Guide
`This National Institute of Standards and Technology (NIST) Cybersecurity Practice Guide demonstrates a
`standards-based reference design and provides users with the information they need to replicate all or
`parts of the build created in the NCCoE ITAM Lab. This reference design is modular and can be deployed
`in whole or in part.
`
`This guide contains three volumes:
`
`▪ NIST SP 1800-5A: Executive Summary
`
`▪ NIST SP 1800-5B: Approach, Architecture, and Security Characteristics – what we built and why
`(you are here)
`
`▪ NIST SP 1800-5C: How-To Guides – instructions for building the example solution
`
`Depending on your role in your organization, you might use this guide in different ways:
`
`Financial services sector leaders, including chief security and technology officers, will be interested in
`the Executive Summary, NIST SP 1800-5A, which describes the following topics:
`
`▪
`
`challenges that financial services sector organizations face in implementing and using ITAM
`systems
`
`▪ example solution built at the NCCoE
`
`▪ benefits of adopti