GRCWatch
Sign inStart free trial

CIS Controls 16.4: Establish and Manage an Application Inventory

Third-party components are everywhere in your codebase—and so is risk. CIS Controls 16.4 requires you to maintain a comprehensive bill of materials (BOM) and track every dependency, from external libraries to internally developed components. This control is your defense against unknown vulnerabilities slipping into production.

What this means

CIS 16.4 mandates creating and maintaining an up-to-date inventory of all third-party and internal components used in your development environments. This includes tracking associated risks, evaluating changes at least monthly, and confirming that each component remains supported by its vendor or maintainer. The goal is eliminating blind spots in your supply chain and catching vulnerable or abandoned dependencies before they become incidents.

How to comply

  1. 1.Catalog all third-party dependencies in your codebase, including libraries, frameworks, plugins, and APIs
  2. 2.Document internally developed components and their purpose, ownership, and integration points
  3. 3.Perform a risk assessment for each component, identifying known vulnerabilities, licensing issues, and vendor stability
  4. 4.Establish a bill of materials (BOM) in a centralized format (SBOM or similar standard) accessible to security and development teams
  5. 5.Schedule monthly reviews to detect new components, updated versions, or deprecated dependencies
  6. 6.Validate vendor support status for each component, flagging unsupported or end-of-life items
  7. 7.Maintain audit logs of inventory changes, removals, and updates for compliance evidence
  8. 8.Integrate automated dependency scanning tools into your CI/CD pipeline to flag new risks in real time

Evidence auditors look for

  • Bill of Materials (BOM) document or SBOM in SPDX or CycloneDX format with component names, versions, and vendors
  • Third-party risk assessment spreadsheet documenting known CVEs, support status, and license compliance for each dependency
  • Monthly inventory review records showing dates, findings, and actions taken for updated or deprecated components
  • Component lifecycle policy defining how new dependencies are approved, tracked, and retired
  • Automated scan reports from dependency management tools (e.g., Snyk, Dependabot, Black Duck) showing inventory changes
  • Vendor support verification documentation confirming active maintenance for critical components
  • Change log or audit trail showing when components were added, updated, or removed from production

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates application inventory tracking and monthly compliance reviews, pulling dependency data directly from your repositories and flagging unsupported components in a centralized dashboard—so your team spends less time on spreadsheets and more time fixing actual risks.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CIS Controls 16.1 — Establish and Manage a Software InventoryCIS Controls 2.1 — Establish and Maintain a Software InventoryCIS Controls 3.10 — Disable Dormant AccountsNIST SP 800-53 SA-3 — System Development Life CycleNIST SP 800-53 SA-12 — Supply Chain Protection