ID.AM-01 Hardware Asset Inventory - NIST CSF 2.0 Checklist

ID.AM-01 requires organizations to inventories of hardware managed by the organization are maintained. This NIST CSF 2.0 control falls under the Identify (ID) function and the Asset Management category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: ID.AM-01
Title: Hardware Asset Inventory
Function: Identify (ID)
Category: Asset Management
Framework: NIST CSF 2.0

Inventories of hardware managed by the organization are maintained.

Inventories of hardware managed by the organization are maintained. This includes endpoints, servers, network devices, IoT devices and any other physical technology assets connected to the organization's infrastructure.

Why This Matters

You cannot protect what you do not know exists. Unknown hardware assets create blind spots that attackers exploit. Unmanaged devices are consistently among the top initial access vectors in breaches.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of ID.AM-01.

Deploy automated asset discovery tools across all network segments
Maintain a centralized hardware asset inventory database
Record asset owner, location, classification and lifecycle status for each device
Reconcile discovered assets against the inventory at least quarterly
Establish a process for registering new hardware before deployment
Track end-of-life and end-of-support dates for all hardware

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with ID.AM-01 during an audit.

Hardware asset inventory export with required fields populated
Automated discovery scan reports showing reconciliation results
Asset registration workflow documentation
End-of-life tracking reports or dashboard screenshots

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with ID.AM-01.

Asset inventory is a spreadsheet that is updated only during audits
IoT and OT devices are excluded from the hardware inventory
No automated discovery tool to identify rogue or unknown devices

FAQ

What does ID.AM-01 require?

ID.AM-01 (Hardware Asset Inventory) requires that inventories of hardware managed by the organization are maintained. This includes endpoints, servers, network devices, IoT devices and any other physical technology assets connected to the organization's infrastructure. This control is part of the NIST CSF 2.0 Identify function under the Asset Management category.

How do I prove compliance with ID.AM-01?

To demonstrate compliance with ID.AM-01, prepare the following evidence: Hardware asset inventory export with required fields populated; Automated discovery scan reports showing reconciliation results; Asset registration workflow documentation. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment