03.04.10 — (a) Develop and document an inventory of system components. (b) Review and update the system component inventory {{ insert: param, A.03.04.10.ODP.01 }}. (c) Update the system component inventory as part of installations, removals, and system updates.

What this control requires

(a) Develop and document an inventory of system components. (b) Review and update the system component inventory {{ insert: param, A.03.04.10.ODP.01 }}. (c) Update the system component inventory as part of installations, removals, and system updates.

Source: NIST SP 800-171 R3 §03.04.10 (official control text).

Why this matters

An accurate system component inventory is the foundation of cybersecurity asset management. Without knowing what hardware, software, and firmware exists in your environment, you cannot patch vulnerabilities, track licenses, detect unauthorized devices, or respond to incidents effectively. This control prevents shadow IT, identifies orphaned systems that escape security updates, and ensures every asset processing CUI is accounted for and protected. It protects against attackers exploiting unknown or forgotten systems that lack current defenses.

What evidence assessors expect

Assessors typically look for: CSV export, screenshot, PDF, photo. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.