NIST ID.AM-1: Physical Device and System Inventory
Physical device inventory is the foundation of asset management and cybersecurity visibility. ID.AM-1 requires your organization to maintain an accurate, complete inventory of all physical devices and systems—from servers and workstations to network infrastructure. Without it, you can't identify vulnerabilities, manage risks, or demonstrate compliance to auditors.
What this means
ID.AM-1 mandates that your organization maintains a comprehensive, current inventory of all physical devices and systems connected to or supporting your IT environment. This includes servers, desktops, laptops, mobile devices, network equipment (routers, switches, firewalls), printers, IoT devices, and any other hardware assets. The inventory must be documented, regularly updated, and tied to ownership and operational responsibility.
How to comply
- 1.Identify and document all physical devices across your organization, including location, hardware specifications, and owner
- 2.Create a centralized asset database or CMDB (Configuration Management Database) to track all devices
- 3.Assign unique identifiers (asset tags, serial numbers) to each device for tracking and auditing
- 4.Establish a regular review cadence (quarterly minimum) to identify new, decommissioned, or moved devices
- 5.Define a process for onboarding new devices into inventory before deployment
- 6.Document the business function or purpose each device serves
- 7.Include hardware lifecycle information: acquisition date, warranty expiration, and planned retirement dates
- 8.Restrict physical access to sensitive devices and maintain audit logs of inventory changes
Evidence auditors look for
- Asset inventory spreadsheet or database with device name, model, serial number, location, owner, and acquisition date
- Hardware lifecycle documentation showing when devices were acquired and when they were retired
- Network discovery reports (e.g., from Nessus, Qualys) showing active devices on your network
- Physical inventory audit records with dates and evidence of validation
- Change management logs documenting when devices were added to or removed from inventory
- Device configuration snapshots or hardware specification records
- Depreciation schedules tying physical assets to financial records
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates physical device discovery and inventory reconciliation using network scanning integrations, eliminating manual spreadsheet maintenance and keeping your ID.AM-1 inventory audit-ready at all times.
See how GRCWatch handles this control automatically
Start free trial