*4.5.2 Digital asset inventory*

Although new installations or modifications to existing facilities will include equipment database inventories of SSCs, this list often is out-of-date, incomplete, and without enough information to support cyber requirements and incident response decisions. Thus, the digital asset inventory CIE principle is intended to ensure that an accurate as-built digital asset inventory is maintained throughout the systems engineering lifecycle, including initial design, maintenance, configuration changes, and upgrades or modifications.

It is impossible to provide adequate protection against cyber incidents if there are unknown digital assets installed in a facility. Therefore, it is necessary to establish complete, accurate, and detailed asset inventories for the entire digital bill of materials (DBOM), including make, model, and version information for hardware, firmware, and software. For instance, if a vendor or intelligence agency provides vulnerability and threat information for a specific digital asset, a facility can easily use their inventory to determine if they have that asset installed. Accurate digital asset inventories improve the overall vulnerability management process. Without the inventory, it is very difficult to track whether newly identified cyber risks are applicable to the facility.

In addition to the DBOM, configuration information, backup requirements, and restoration information should be maintained for each digital SSC. Since cyber compromises do occur within the supply chain and early lifecycle stages, this complete design record should be maintained under secured configuration control such that all modifications or updates are captured. When used in conjunction with the incident response planning principle, this detailed information can be used to restore or rebuild a system after a cyber incident.
