System Security Plans for meeting NIST SP 800-171 requirements should have a hardware and software inventory either included in the plan or referenced in the plan. Here is how to create those inventories.

A hardware inventory is used to document all of the components that make up an information system. These hardware components include but are not limited : laptops, desktops, physical servers, switches, routers, firewalls, smartphones, tablets, printers, scanners, and VOIP switches.

A hardware Inventory can be documented in an excel spreadsheet. The hardware inventory should document: The make, model, serial number, location (e.g., Office, Remote), assigned user, organization ownership, and status (in use, spare, excessed) of the device.

If your organization is small, you can document and maintain your hardware inventory manually. If you are a larger organization, investing in an IT inventory system may yield a good return on investment.

A software inventory documents the software used in your information system. If you are a small organization you can document this manually however if you are a larger organization, investing in a tool that tracks the software installed on your devices is a good strategy.

A software inventory should contain the following information for each software in use in your information system: developer Name (e.g., Microsoft, Adobe), software name (e.g., Acrobat), and versions in production.

After you create your hardware and software inventories you need to ensure that they remain accurate. Periodically review these documents as required. If you are a small organization an annual review is sufficient. Larger organizations may need to review their inventories more regularly as new devices are put into production.