GRCWatch
Sign inStart free trial

NIST ID.AM-4: Maintain a Complete External Systems Catalog

External systems represent a critical attack surface for organizations. ID.AM-4 requires you to catalog and track all external information systems that connect to or interact with your environment. Without visibility into these dependencies, you cannot effectively manage risk or demonstrate compliance to auditors.

What this means

This control mandates creating and maintaining a comprehensive inventory of external systems—including third-party vendors, cloud services, APIs, and integrated applications—that interface with your organization. You must document system characteristics, data flows, and connection points. This catalog becomes the foundation for asset management, risk assessment, and supply chain security decisions.

How to comply

  1. 1.Identify all external systems interacting with your infrastructure through network traffic analysis, data mapping, and stakeholder interviews
  2. 2.Document system ownership, purpose, data classification, and connection methods for each external system
  3. 3.Establish baseline inventory data including vendor information, contract terms, and criticality ratings
  4. 4.Implement discovery tools to detect unknown or shadow external systems automatically
  5. 5.Schedule quarterly reviews to identify new external systems and retire deprecated connections
  6. 6.Create accountability by assigning owners to each external system entry
  7. 7.Track system lifecycle from implementation through decommissioning

Evidence auditors look for

  • External systems inventory spreadsheet with vendor names, connection types, and data exchanged
  • Network diagrams showing external system connections and data flow paths
  • Documentation of API integrations including authentication methods and endpoints
  • Vendor management database with contract dates and security requirements
  • Change logs showing additions, modifications, and removals of external systems
  • Automated discovery tool reports identifying connected third-party services
  • Risk assessments linking external systems to potential compliance violations

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically discovers external systems through network analysis and API monitoring, then catalogs them with pre-built vendor risk profiles—cutting your external systems inventory time from weeks to days.

See how GRCWatch handles this control automatically

Start free trial

Related controls

NIST ID.AM-1 (Inventory of Assets)NIST ID.AM-2 (Software Inventory)NIST ID.RA-2 (Risk Assessment)NIST PR.AC-4 (Third-Party Access Management)NIST DE.CM-3 (Monitor External Service Activity)