SA-4(4) — Assignment of Components to Systems

When integrating components from different vendors into a single system, document which components belong to which systems and ensure that security boundaries are clear between them.

Example 1: Maintain a system component inventory that maps each hardware and software component to the system it belongs to. Document the security boundary — where one system's responsibility ends and another begins — especially at integration points where data flows between systems.

Example 2: In your network diagrams, clearly label which components are part of which system's authorization boundary. When a shared component (like a database server) serves multiple systems, document the shared responsibility and ensure both system owners agree on who is responsible for its security.