IT Asset Management

Download the Practice Guide

The NCCoE has released the final version of NIST Cybersecurity Practice Guide SP 1800-5, IT Asset Management. Use the buttons below to view this publication in its entirety or scroll down for links to a specific section.

Download PDF »Open Web Version »

The NCCoE released a final version of the NIST Cybersecurity Practice Guide, IT Asset Management on September 7, 2018.

For ease of use, the guide is available in volumes:

SP 1800-5a: Executive Summary (PDF) (web page)
SP 1800-5b: Approach, Architecture, and Security Characteristics (PDF) (web page)
SP 1800-5c: How-To Guides (PDF) (web page)

Or download the complete guide (PDF).

If you have questions or would like to work on additional Financial Services sector projects, email us at financial_nccoe@nist.gov.

Financial institutions deploy a wide array of information technology devices, systems, and applications across a wide geographic area. While these physical assets can be labeled and tracked using bar codes and databases, understanding and controlling the cybersecurity resilience of those systems and applications is a much larger challenge. Not being able to track the location and configuration of networked devices and software can leave an organization vulnerable to security threats. Further complicating this scenario is many organizations include subsidiaries, branches, third-party partners, contractors as well as temporary workers and guests.

Solution

To address this cybersecurity challenge, NCCoE security engineers developed an example solution that will provide an organization the tools to centrally monitor and gain deeper insight into their entire IT asset portfolio with an automated platform. Using open source and commercially available technologies compatible with an existing infrastructure, this example solution addresses questions such as “What operating systems are our laptops running?” and “Which devices are vulnerable to the latest threat?” By tying existing data systems for physical assets, security systems, and IT support into a comprehensive IT asset management (ITAM) system, financial services companies can dynamically apply business and security rules, using automation, to improve their cybersecurity resilience and gain efficiencies in asset management and reduce costs associated with unused or underutilized physical and software assets.

In short, the example ITAM solution gives companies the ability to track, manage, and report on information assets throughout their entire life cycle. This can ultimately increase cybersecurity resilience by enhancing the visibility of assets, identifying vulnerable assets, enabling faster response to security alerts, revealing which applications are actually being used and reducing help desk response times.

Read the two-page fact sheet. For archival purposes, you may download the revised and original Project Descriptions.

Collaborating Vendors

Organizations participating in this project submitted their capabilities in response to an open call in the Federal Register for all sources of relevant security capabilities from academia and industry (vendors and integrators). The following respondents with relevant capabilities or product components (identified as “Technology Partners/Collaborators” herein) signed a Cooperative Research and Development Agreement to collaborate with NIST in a consortium to build this example solution.

_{Certain commercial entities, equipment, products, or materials may be identified by name or company logo or other insignia in order to acknowledge their participation in this collaboration or to describe an experimental procedure or concept adequately. Such identification is not intended to imply special status or relationship with NIST or recommendation or endorsement by NIST or NCCoE; neither is it intended to imply that the entities, equipment, products, or materials are necessarily the best available for the purpose.}

Join Our Community of Interest

Interested in joining the IT Asset Management Community of Interest? Contact us!

A Community of Interest is a group of professionals and technical advisors convened to support the cybersecurity resiliency of the U.S. economy. Read More.