# Inventory: Normalized Approach The normalized approach is prefered. Organizations starting new with no legacy inventory reporting should use this. For organizations converting from a legacy FedRAMP inventory spreadsheet template, consider starting with the [Inventory: Flat Approach](https://patterns.rufrisk.com/books/fedramp-system-security-plan-ssp/page/inventory-flat-approach) and migrating to the normalized approach over time. --- With the **Normalized approach**, common information is captured once in a component assembly. Each instance of that component has its own inventory-item assembly, which cites the relevant component and only includes information unique to that instance. [![ssp-figure-26.png](https://patterns.rufrisk.com/uploads/images/gallery/2026-02/scaled-1680-/ssp-figure-26.png)](https://patterns.rufrisk.com/uploads/images/gallery/2026-02/ssp-figure-26.png) ##### Component-based Representation ```yaml system-security-plan: uuid: 11111111-2222-4000-8000-000000000000 system-implementation: components: - uuid: 11111111-2222-4000-8000-009000300300 type: software title: Linux Operating System description: This is a web server that communicates with a database via an encrypted connection props: - name: asset-type value: operating-system - name: allows-authenticated-scan value: 'yes' - name: scan-type ns: http://fedramp.gov/ns/oscal value: web links: - href: '#11111111-2222-4000-8000-001000000059' rel: baseline status: state: operational inventory-items: - uuid: 11111111-2222-4000-8000-011000000023 description: Instance of the Linux Operating System props: - name: asset-id value: unique-asset-ID-23 - name: asset-type value: operating-system - name: ipv4-address value: 10.23.23.23 - name: ipv6-address value: 0000:0000:0000:0000:0000:ffff:0a17:1717 - name: virtual value: 'yes' - name: public value: 'no' - name: fqdn value: linux-host.example.internal - name: physical-location value: Primary Data Center - name: is-scanned value: 'yes' - name: scan-type ns: http://fedramp.gov/ns/oscal value: infrastructure responsible-parties: - role-id: asset-owner party-uuids: - 11111111-2222-4000-8000-004000000010 - role-id: asset-administrator party-uuids: - 11111111-2222-4000-8000-004000000017 implemented-components: - component-uuid: 11111111-2222-4000-8000-009000300300 ``` **Notes:** - If component-sample is an image of a Linux virtual machine (VM), and 10 instances of that VM are in use, there would be one (1) component assembly and ten (10) inventory-item assemblies, all referencing the same component. --- #### Inventory Data Locations and XPath Queries The following queries are intended to show where to find each piece of information within the system inventory template. [![All Inventory](https://patterns.rufrisk.com/uploads/images/gallery/2026-02/scaled-1680-/ssp-figure-26-1.png)](https://patterns.rufrisk.com/uploads/images/gallery/2026-02/ssp-figure-26-1.png) [![OS Infrastructure Inventory](https://patterns.rufrisk.com/uploads/images/gallery/2026-02/scaled-1680-/ssp-figure-26-2.png)](https://patterns.rufrisk.com/uploads/images/gallery/2026-02/ssp-figure-26-2.png) [![Software and Database Inventory](https://patterns.rufrisk.com/uploads/images/gallery/2026-02/scaled-1680-/ssp-figure-26-3.png)](https://patterns.rufrisk.com/uploads/images/gallery/2026-02/ssp-figure-26-3.png) [![Any Inventory](https://patterns.rufrisk.com/uploads/images/gallery/2026-02/scaled-1680-/ssp-figure-26-4.png)](https://patterns.rufrisk.com/uploads/images/gallery/2026-02/ssp-figure-26-4.png) #