NIST Cybersecurity Framework ID.AM-2: Software Asset Inventory
Software sprawl is a compliance blind spot for most SMBs. NIST ID.AM-2 requires complete visibility into every application running across your organization—from purchased platforms to custom scripts. Without accurate software asset inventory, you can't effectively manage vulnerabilities, enforce licenses, or demonstrate control to auditors.
What this means
ID.AM-2 mandates that your organization maintains a comprehensive, current inventory of all software platforms and applications in use. This includes commercial off-the-shelf (COTS) products, SaaS applications, open-source tools, and internally developed software. The inventory must document key attributes such as version numbers, deployment locations, business owners, and licensing status. This foundational control enables you to identify security risks, manage software licenses, track end-of-life products, and maintain an accurate technology landscape for risk management.
How to comply
- 1.Conduct a comprehensive software discovery across all systems, networks, and cloud environments using automated asset scanning tools
- 2.Document each application with metadata: name, vendor, version, deployment location, business function, and responsible owner
- 3.Establish a centralized software asset management (SAM) system as your single source of truth for inventory data
- 4.Implement automated discovery mechanisms to detect new or unauthorized software installations in real-time
- 5.Define and enforce a software approval workflow before deployment to prevent unlicensed or non-compliant applications
- 6.Schedule quarterly reviews to remove deprecated software, update version records, and validate inventory accuracy
- 7.Integrate your software inventory with your vulnerability management and patch management processes
- 8.Document policies and procedures for software asset tracking and assign clear ownership for maintenance
Evidence auditors look for
- Documented software asset inventory spreadsheet or database with current version numbers and deployment details
- Automated asset discovery reports from tools like Qualys, Rapid7, or cloud-native scanning services
- Software approval request forms showing business justification and security sign-off for newly deployed applications
- Quarterly inventory audit reports with validation dates and reconciliation notes
- Integration records between inventory management and vulnerability scanning platforms
- License tracking documentation linking software inventory to compliance and cost management
- Change logs showing additions, removals, and updates to the software inventory over time
- Vendor documentation and end-of-life notices for tracked software products
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch's automated asset discovery integrates with your infrastructure to continuously catalog software inventory and flag unlicensed or deprecated applications, eliminating manual spreadsheet updates and detection gaps.
See how GRCWatch handles this control automatically
Start free trial