Automated Unauthorized Component Detection CM-8(3)

Overview:
The organization:
(a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
(b) Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]].

Supplemental Guidance:
This control enhancement is applied in addition to the monitoring for unauthorized remote connections and mobile devices. Monitoring for unauthorized system components may be accomplished on an ongoing basis or by the periodic scanning of systems for that purpose. Automated mechanisms can be implemented within information systems or in other separate devices. Isolation can be achieved, for example, by placing unauthorized information system components in separate domains or subnets or otherwise quarantining such components. This type of component isolation is commonly referred to as sandboxing.

Related controls:AC-17, AC-18, AC-19, CA-7, SI-3, SI-4, SI-7, RA-5.

Action Items:
1) Implement automated mechanism to detect unauthorized components

2) Implement procedures to remediate any found unauthorized components

Related Documents:
1) Secure Systems Configuration Policy

2) Vulnerability Management Policy

Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
CM-8 (3) (a) [Continuously, using automated mechanisms with a maximum five-minute delay in detection]

Moderate Additional FedRAMP Requirements and Guidance
none