NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT
CM-12 — Information Location
Identify and document the location of {{ insert: param, cm-12_odp }} and the specific system components on which the information is processed and stored; Identify and document the users who have access to the system and system components where the information is processed and stored; and Document changes to the location (i.e., system or system components) where the information is processed and stored.
Supplemental Guidance
Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see [SA-4](#sa-4), [SA-8](#sa-8), [SA-17](#sa-17)).
Practitioner Notes
This control requires you to know where your important information lives — which systems, databases, and storage locations contain sensitive data like CUI, PII, or financial records.
Example 1: Use Microsoft Purview Data Map to scan your file shares, SharePoint sites, and databases to discover and classify where sensitive data resides across your organization.
Example 2: Create a data flow diagram that shows where CUI enters your environment, where it is stored, where it is processed, and where it exits, and review it annually.