ID.AM-02 Software Asset Inventory - NIST CSF 2.0 Checklist

ID.AM-02 requires organizations to inventories of software and services managed by the organization are maintained. This NIST CSF 2.0 control falls under the Identify (ID) function and the Asset Management category. Use this checklist to verify implementation and prepare evidence for auditors.

Control Details

Control ID: ID.AM-02
Title: Software Asset Inventory
Function: Identify (ID)
Category: Asset Management
Framework: NIST CSF 2.0

Inventories of software and services managed by the organization are maintained.

Inventories of software and services managed by the organization are maintained. This includes operating systems, applications, firmware, SaaS services and any code libraries or dependencies in use.

Why This Matters

Untracked software introduces unpatched vulnerabilities and licensing risks. Shadow IT applications bypass security controls and create data exfiltration paths that security teams cannot monitor.

Implementation Checklist

Use this checklist to verify your organization meets the requirements of ID.AM-02.

Deploy software asset management tools to discover installed applications
Maintain a centralized software inventory including SaaS subscriptions
Record version numbers and patch levels for all software assets
Identify and catalog open-source libraries and dependencies
Reconcile software inventory with procurement and licensing records quarterly
Flag unauthorized or unapproved software installations

Evidence an Auditor Expects

Prepare the following documentation and artifacts to demonstrate compliance with ID.AM-02 during an audit.

Software asset inventory with version and patch level data
SaaS subscription register or cloud access security broker reports
Software bill of materials for internally developed applications
Unauthorized software detection reports

Common Gaps We Find

Based on our penetration testing and risk assessment engagements, these are the gaps organizations most frequently have with ID.AM-02.

SaaS and cloud services are not included in the software inventory
No process exists to detect unauthorized software installations
Open-source dependencies are not tracked or assessed for vulnerabilities

FAQ

What does ID.AM-02 require?

ID.AM-02 (Software Asset Inventory) requires that inventories of software and services managed by the organization are maintained. This includes operating systems, applications, firmware, SaaS services and any code libraries or dependencies in use. This control is part of the NIST CSF 2.0 Identify function under the Asset Management category.

How do I prove compliance with ID.AM-02?

To demonstrate compliance with ID.AM-02, prepare the following evidence: Software asset inventory with version and patch level data; SaaS subscription register or cloud access security broker reports; Software bill of materials for internally developed applications. Auditors will verify that these artifacts exist and reflect current operational practices.

Need Help Meeting NIST CSF 2.0 Requirements?

Our penetration testing and risk assessments map directly to NIST CSF 2.0 controls. Sherlock Forensics identifies gaps in your compliance posture and provides actionable remediation guidance.

Get a Compliance Assessment