Hardware Asset Management FAQ

What is the Hardware Asset Management (HWAM) Security Capability?

The HWAM CDM Security Capability is a grouping of security controls that are employed to:

  • Give organizations visibility into the hardware devices, to include removable media, operating on the network
  • Discovers new devices that connect to the network
  • Identify all devices actually present
  • Address whether the device is authorized on the network
  • Address whether someone is assigned to manage the device
  • Prevent entry of malicious or compromised hardware from being installed on the system
  • Reduce the number of easy-to-compromise devices that are not actively administered
  • Prevent unauthorized hardware from being used for data exfiltration

What security results should we be able to achieve by implementing HWAM?

HWAM makes sure that devices are identified, authorized, and managed. HWAM helps reduce the exploitable attack surface by providing information about unauthorized devices that can be removed or authorized and ensuring they are assigned to a person or team for system administration. Unauthorized and unmanaged devices are more likely to be used by attackers as a platform from which to extend compromise of the network to be mitigated.

What type of security issues are addressed by the HWAM security capability?

Attackers continually scan Federal networks for new, unprotected systems, including test or experimental systems, and exploit those systems to gain control of them. By exploiting these machines, attackers are able to gain a foothold on the network in order to pivot to other parts of the network or to extract data. Attackers also exploit forgotten machines that no one is managing or is aware of on the network. These unattended or unmanaged machines are particularly vulnerable to attacks due to outdated patches and configurations. Incident reports reveal that unmanaged machines play a significant role in high-impact attacks and exploitations of networks.
The HWAM security capability addresses attacks on unidentified, unauthorized, and unmanaged assets by reducing the number of such devices on the network.

What can I do to reduct my exposure to attacks exploiting poor hardware management?

After identifying an unmanaged device, the methods below can reduce this particular cybersecurity risk:
Primary Methods

  • Quickly remove the unmanaged device from the network
  • Quickly assign the unmanaged device to be managed by a specific group

Preventative Methods

  • Develop processes to prevent new unmanaged machines from appearing on the network
  • Develop processes to prevent previously managed machines from becoming unmanaged. This typically happens when a device manager leaves the organization, and devices are not re-assigned.
  • Using an up-to-date list of authorized hardware and who manages it, treat other hardware actually on network as a defect. Remove the device from the network if not authorizing.

How does the HWAM security capability define a hardware asset?

For the purposes of CDM Hardware Asset Management, an asset is:

  • Any hardware asset that is addressable (i.e., has an IP address) and is connected to your organization's network(s). This includes computers, networking devices, communication devices, and input/output devices, both physical and virtual. These devices and their peripherals are remotely attackable.
  • Any USB device and other removable devices connected to a hardware asset (one that has an IP address). These devices become a vector to spread malware across additional devices.

This definition is also used by FISMA and is documented on page 23 of the annual FISMA reporting instructions.
Thus, not every "device" in a property inventory is included in the Hardware Asset Management definition of devices. For example, a monitor (not addressable, thus not included) can be attacked only through an addressable computer. (For other examples, see the FISMA reporting instructions) If you find other kinds of devices that you believe should be included, please let us know so we can consider those issues.

How does the HWAM security capability support ongoing automated assessment as defined by NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations?

The following is an example of how the assessment for unauthorized devices can be automated:

  1. Develop an Actual State list (inventory) of (as close as practical to) all devices on the network. The Actual State can be collected automatically using sensors deployed through-out the environment to detect devices and collect information required for comparison.
  2. Define the Desired State Specification list of all devices "authorized" to be on the network.
  3. Defects can be found through computing the differences between Actual State and Desired State. A Defect is a) a device in the Actual State but b) not in the Desired State, and is thus "unauthorized." This can be computed by simple set difference.

The following is an example of how the assessment for unmanaged devices can be automated:

  1. Develop an Actual State list (inventory) of (as close as practical to) all devices on the network. The Actual State can be collected automatically using sensors deployed through-out the environment to detect devices and collect information required for comparison.
  2. Build the Desired State Specification list of device managers assigned to manage each device in an approved list of device managers. It provides information for comparison, including if the device manager listed for each device is not null, and is in the list of approved device managers.
  3. Defects can be found through computing the differences between Actual State and Desired State. A Defect is an authorized device in the HWAM-F1 Actual State where the device manager listed is either a) null or b) not null and not on the approved list. Such devices are called "unmanaged."

Note: You have to know the HWAM Actual State status to assess whether the device is authorized and managed. Actual State sensors, such as active and passive network sensors, asset management repositories, network event sensors, and endpoint-based agents, allow for automated collection of information for devices on the network. Additional tools allow for the automated comparison of Actual State and Desired State to identify defects. Also note that an unmanaged device that is not on the network (in the HWAM Actual State) is not counted as a defect because it cannot cause risk until it is on the network.

What data should I collect about HWAM devices?

The minimal Hardware Asset Management data recorded should include the following:

Data Item Justification
Expected CPE (vendor, product, version, release level) or equivalent -For reporting device types
- For supply chain management
- To know what CCEs and CVEs may apply to these devices (for CSM and VULN CDM Security Capabilities)
Person or organization who is responsible for managing the hardware asset (note: such assignments should ensure that the designee is not assigned too many assets to effectively manage them) - To know who should fix specific risk conditions
- To assess the responsible individuals' risk management performance
Data necessary to link Desired State inventory to Actual State inventory - To be able to identify unauthorized and unmanaged devices
Data necessary to physically locate hardware assets - So managers can find the device to fix it
- To identify mobile devices so that extra controls can be assigned
The period of time the asset is authorized - To allow previously authorized devices to remain in the inventory, while knowing they are no longer authorized
Expected status of the device (active, inactive, stolen, missing, transferred, etc.) - To know which authorized devices are not likely to be found in actual inventory
Data necessary to physically identify the asset (such as property number or serial number) - To be able to validate that the remotely found device is actually this device, and not an imposter

How can I assign Managers for HWAM Devices?

Manager identification of devices must be used to know which individual(s) is/are responsible for specific risks and can be expected to fix risk conditions. The manager of the device is the group of persons who have authority and responsibility to manage the device. Managing the device means, at a minimum:

  • Connecting the device to the network
  • Configuring its operating system

Organizations should assign managers to meet the following:

  • Making adjustments to the operating system settings and/or patching to support a specific application(s)
  • Controlling other software installation on the device
  • Keeping patching up to date
  • Managing settings of the other software
  • Mitigating defects as necessary

Authority and responsibility means, at a minimum, having the right administrator privileges on the device to manage a device. (For automated functions, those who manage the tools that automate the process are the managers for the items automated.)

While the assignment process is normally manual, there is some potential to automate it. For example, where LDAP data defines groups of devices and who manages them, the LDAP data can be read so that when new devices are added to a device group, the device can automatically be assigned to the administrator group that manages that device group. Likewise, when a person is removed from the administrator group, he/she is no longer responsible for managing the devices in the covered device groups.
The following are NOT the actual managers of a device (unless they also meet the criteria above, which might happen in a micro-agency):

  • People who supervise the group of individuals who have authority and responsibility to manage the device
  • The CISO and/or CIO who covers the device
  • Other managers who are not actually device or software administrators
  • The user of the device
  • The business owner of the device or the applications on it

How can we prevent unauthorized hardware from getting on the network in the first place?

Removing/assigning unauthorized devices should theoretically not be necessary. But in real operational networks, it often seems inevitable. Organizations can take particular steps to reduce the work required to find out who is responsible for these devices and to record this data.
The following kinds of actions can be taken to reduce the number of unauthorized and unmanaged devices that appear on the network:

  1. Policy can require administrators to put new devices into Desired State inventory before adding them. Often system administrators connect new devices, then patch and configure them on the production network. This provides a window for the devices to be compromised. In addition, the devices are often added to the network before being recorded in active directory (or whatever other source of data for Desired State is in use). Getting administrators to keep the Desired State up-to-date (edited before the machine appears) will reduce the number of Hardware Asset Management risk conditions.
  2. Logging can track when unauthorized and unmanaged devices are connected to the network, what they are connected to, and who has logged onto them. All of this data can help investigate who connected the devices. Once the person is found, letting them know what is expected can prevent creation of these risk conditions.
  3. A few people may need to be sanctioned. Sanction individuals who frequently connect unauthorized devices, and who do so after due warning. While such actions won't eliminate all unauthorized and unmanaged devices, these actions can lower their incidence rates, which it a positive step.

How does HWAM support other CDM Security Capabilities?

HWAM is the foundational CDM capability. To ensure assets are appropriately protected, they must be identified, authorized, and managed through HWAM before SWAM, CSM and VULN can measure how well the devices are being managed.