Abstract

OMB Circular A-130 and 44 U.S.C. 3511 require all U.S. federal agencies to maintain hardware and software inventories for their information systems. This represents an important NIST control—Configuration Management and it supports the Business Impact Assessment. It also supports the need to clearly define system boundaries—the components that need to be protected. It is important to include the operating system name and version, the application name and version, patch level and version, IP host addresses, database name and version, as well as any middleware, backup tools, etc. This is critical information for measuring variation from the baseline. It is also critical for the incident ...