IG2 IG3

Establish and Maintain Architecture Diagram(s)

Control Group: 12. Network Infrastructure Management

Asset Type: Network

Security Function: Identify

Description

Establish and maintain architecture diagram(s) and/or other network system documentation. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

Implementation Checklist

1

Document current state and create baseline inventory

2

Define data fields and attributes to track

3

Assign ownership and responsibilities

4

Establish review cadence and update procedures

Tool Recommendations

Palo Alto Networks NGFW Gartner MQ Leader, Network Firewalls 2024

Next-generation firewall platform with application-aware policies, threat prevention, URL filtering, and SD-WAN

Palo Alto Networks · Appliance + subscription

Fortinet FortiGate Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall and security fabric with NGFW, SD-WAN, IPS, and integrated security services

Fortinet · Appliance + subscription

Cisco Secure Firewall Gartner MQ Leader, Network Firewalls 2024

Enterprise firewall with application visibility, IPS, malware defense, and encrypted traffic analytics

Cisco · Appliance + subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Unidentified Attack Paths Through Undocumented Network Topology

Confidentiality

Without current architecture diagrams, security teams cannot identify attack paths, network trust boundaries, or segmentation gaps, leaving them unable to proactively defend against threats or accurately scope incident response.

Security Control Gaps from Undocumented Network Changes

Integrity

Network changes made without updating architecture documentation create undocumented connections, bypassed firewalls, and rogue network paths that introduce security vulnerabilities unknown to the security team.

Ineffective Incident Response Due to Inaccurate Network Maps

Availability

During incident response, teams rely on outdated or non-existent architecture diagrams, leading to incorrect containment actions, missed compromised segments, and inability to identify all affected systems.

Vulnerabilities (When Safeguard Absent)

No Current Network Architecture Documentation

The organization has no up-to-date architecture diagrams showing network topology, segmentation boundaries, trust zones, data flows, and external connections, leaving security teams without the visibility needed for effective defense.

Architecture Diagrams Not Updated With Network Changes

Network architecture diagrams exist but are not updated when changes are made, rendering them inaccurate and potentially misleading for security analysis, compliance audits, and incident response activities.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Current inventory or catalog documentation	Maintained continuously, reviewed quarterly
Document	Process/procedure documentation for identification activities	Reviewed annually
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Secure Configuration Management Policy

Control 4, Control 9, Control 12

Network Change Management Policy

Control 12

Related Safeguards in Control 12

12.1 Ensure Network Infrastructure is Up>to>Date

12.2 Establish and Maintain a Secure Network Architecture

12.3 Securely Manage Network Infrastructure

12.5 Centralize Network Authentication, Authorization, and Auditing (AAA)

12.6 Use of Secure Network Management and Communication Protocols

12.7 Ensure Remote Devices Utilize a VPN and are Connecting to an Enterprise’s AAA Infrastructure

12.8 Establish and Maintain Dedicated Computing Resources for All Administrative Work