In Episode 8 of my Configuration Management series, I break down CM-8 (System Component Inventory) and why it’s one of those controls you can’t fake during an assessment. CM-8 is about creating and maintaining a detailed inventory of everything inside your authorization boundary—hardware, software, and firmware—and keeping it accurate enough for real tracking and reporting. I also call out what I see all the time: inventories that exist on paper but miss vital details like model/year, patch level, license info, or they’re simply not reviewed—so you end up “discovering” during the assessment that half the listed components were decommissioned months ago. I walk through the actual 800-53 Rev. 5 CM-8 requirements (develop/document, avoid duplicate accounting, set the right granularity, and define what accountability info you’ll track), plus the organization-defined review frequency. Then I dig into the discussion section where duplicate accounting becomes a major theme—especially with centrally managed software and systems running multiple protocols like IPv4/IPv6. Finally, I cover the CM-8 enhancements (installation/removal updates, automation, unauthorized component detection, centralized repository, location tracking, and assigning components to systems) and the practical audit approach I use: review procedures, interview stakeholders, validate against the authorization boundary, and cross-check inventories against artifacts like the system architecture diagram.