NIST 800-53 REV 5 • PROGRAM MANAGEMENT

PM-5System Inventory

Develop and update {{ insert: param, pm-05_odp }} an inventory of organizational systems.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

[OMB A-130](#27847491-5ce1-4f6a-a1e4-9e483782f0ef) provides guidance on developing systems inventories and associated reporting requirements. System inventory refers to an organization-wide inventory of systems, not system components as described in [CM-8](#cm-8).

Practitioner Notes

You must maintain an up-to-date inventory of all the information systems your organization operates or relies on. If you do not know what systems you have, you cannot protect them.

Example 1: Create a system inventory spreadsheet listing every system by name, owner, classification level, authorization status, and the data types it processes. Include cloud services like M365, AWS instances, and SaaS tools your staff uses daily.

Example 2: In Microsoft Defender for Cloud Apps, go to Cloud Discovery to automatically detect all cloud applications your employees are using. This catches shadow IT — services people signed up for without approval — and feeds your system inventory with real usage data.

More Program Management Controls

PM-1 Information Security Program Plan PM-2 Information Security Program Leadership Role PM-3 Information Security and Privacy Resources PM-4 Plan of Action and Milestones Process