CM - Configuration Management
- Controls Count: 9
- Controls IDs: CM-1, CM-2, CM-4, CM-5, CM-6, CM-7, CM-8, CM-10, CM-11
Controls
CM-1: Policy and Procedures
Develop, document, and disseminate to organization-defined personnel or roles:
organization-level, mission/business process-level, and/or system-level configuration management policy that:
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;
Designate an an official to manage the configuration management policy and procedures is defined; to manage the development, documentation, and dissemination of the configuration management policy and procedures; and
Review and update the current configuration management:
Policy the frequency at which the current configuration management policy is reviewed and updated is defined; and following events that would require the current configuration management policy to be reviewed and updated are defined; ; and
Procedures the frequency at which the current configuration management procedures are reviewed and updated is defined; and following events that would require configuration management procedures to be reviewed and updated are defined;.
Configuration management policy and procedures address the controls in the CM family that are implemented within systems and organizations. The risk management strategy is an important factor in establishing such policies and procedures. Policies and procedures contribute to security and privacy assurance. Therefore, it is important that security and privacy programs collaborate on the development of configuration management policy and procedures. Security and privacy program policies and procedures at the organization level are preferable, in general, and may obviate the need for mission- or system-specific policies and procedures. The policy can be included as part of the general security and privacy policy or be represented by multiple policies that reflect the complex nature of organizations. Procedures can be established for security and privacy programs, for mission/business processes, and for systems, if needed. Procedures describe how the policies or controls are implemented and can be directed at the individual or role that is the object of the procedure. Procedures can be documented in system security and privacy plans or in one or more separate documents. Events that may precipitate an update to configuration management policy and procedures include, but are not limited to, assessment or audit findings, security incidents or breaches, or changes in applicable laws, executive orders, directives, regulations, policies, standards, and guidelines. Simply restating controls does not constitute an organizational policy or procedure.
a configuration management policy is developed and documented;
the configuration management policy is disseminated to personnel or roles to whom the configuration management policy is to be disseminated is/are defined;;
configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented;
the configuration management procedures are disseminated to personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;;
the organization-level, mission/business process-level, and/or system-level of the configuration management policy addresses purpose;
the organization-level, mission/business process-level, and/or system-level of the configuration management policy addresses scope;
the organization-level, mission/business process-level, and/or system-level of the configuration management policy addresses roles;
the organization-level, mission/business process-level, and/or system-level of the configuration management policy addresses responsibilities;
the organization-level, mission/business process-level, and/or system-level of the configuration management policy addresses management commitment;
the organization-level, mission/business process-level, and/or system-level of the configuration management policy addresses coordination among organizational entities;
the organization-level, mission/business process-level, and/or system-level of the configuration management policy addresses compliance;
the configuration management policy is consistent with applicable laws, Executive Orders, directives, regulations, policies, standards, and guidelines;
the an official to manage the configuration management policy and procedures is defined; is designated to manage the development, documentation, and dissemination of the configuration management policy and procedures;
the current configuration management policy is reviewed and updated the frequency at which the current configuration management policy is reviewed and updated is defined;;
the current configuration management policy is reviewed and updated following events that would require the current configuration management policy to be reviewed and updated are defined;;
the current configuration management procedures are reviewed and updated the frequency at which the current configuration management procedures are reviewed and updated is defined;;
the current configuration management procedures are reviewed and updated following events that would require configuration management procedures to be reviewed and updated are defined;.
Configuration management policy and procedures
security and privacy program policies and procedures
assessment or audit findings
documentation of security incidents or breaches
system security plan
privacy plan
risk management strategy
other relevant artifacts, documents, or records
Organizational personnel with configuration management responsibilities
organizational personnel with information security and privacy responsibilities
CM-2: Baseline Configuration
Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
Review and update the baseline configuration of the system:
the frequency of baseline configuration review and update is defined;;
When required due to the circumstances requiring baseline configuration review and update are defined; ; and
When system components are installed or upgraded.
Baseline configurations for systems and system components include connectivity, operational, and communications aspects of systems. Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, or changes to systems and include security and privacy control implementations, operational procedures, information about system components, network topology, and logical placement of components in the system architecture. Maintaining baseline configurations requires creating new baselines as organizational systems change over time. Baseline configurations of systems reflect the current enterprise architecture.
a current baseline configuration of the system is developed and documented;
a current baseline configuration of the system is maintained under configuration control;
the baseline configuration of the system is reviewed and updated the frequency of baseline configuration review and update is defined;;
the baseline configuration of the system is reviewed and updated when required due to the circumstances requiring baseline configuration review and update are defined;;
the baseline configuration of the system is reviewed and updated when system components are installed or upgraded.
Configuration management policy
procedures addressing the baseline configuration of the system
configuration management plan
enterprise architecture documentation
system design documentation
system security plan
privacy plan
system architecture and configuration documentation
system configuration settings and associated documentation
system component inventory
change control records
other relevant documents or records
Organizational personnel with configuration management responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
Organizational processes for managing baseline configurations
mechanisms supporting configuration control of the baseline configuration
CM-4: Impact Analyses
Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.
Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required.
changes to the system are analyzed to determine potential security impacts prior to change implementation;
changes to the system are analyzed to determine potential privacy impacts prior to change implementation.
Configuration management policy
procedures addressing security impact analyses for changes to the system
procedures addressing privacy impact analyses for changes to the system
configuration management plan
security impact analysis documentation
privacy impact analysis documentation
privacy impact assessment
privacy risk assessment documentation, system design documentation
analysis tools and associated outputs
change control records
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with responsibility for conducting security impact analyses
organizational personnel with responsibility for conducting privacy impact analyses
organizational personnel with information security and privacy responsibilities
system developer
system/network administrators
members of change control board or similar
Organizational processes for security impact analyses
organizational processes for privacy impact analyses
CM-5: Access Restrictions for Change
Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.
Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3 ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).
physical access restrictions associated with changes to the system are defined and documented;
physical access restrictions associated with changes to the system are approved;
physical access restrictions associated with changes to the system are enforced;
logical access restrictions associated with changes to the system are defined and documented;
logical access restrictions associated with changes to the system are approved;
logical access restrictions associated with changes to the system are enforced.
Configuration management policy
procedures addressing access restrictions for changes to the system
configuration management plan
system design documentation
system architecture and configuration documentation
system configuration settings and associated documentation
logical access approvals
physical access approvals
access credentials
change control records
system audit records
system security plan
other relevant documents or records
Organizational personnel with logical access control responsibilities
organizational personnel with physical access control responsibilities
organizational personnel with information security responsibilities
system/network administrators
Organizational processes for managing access restrictions to change
mechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system
CM-6: Configuration Settings
Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using common secure configurations to establish and document configuration settings for components employed within the system are defined;;
Implement the configuration settings;
Identify, document, and approve any deviations from established configuration settings for system components for which approval of deviations is needed are defined; based on operational requirements necessitating approval of deviations are defined; ; and
Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.
Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.
Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline USGCB and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7 . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.
configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using common secure configurations to establish and document configuration settings for components employed within the system are defined;;
the configuration settings documented in CM-06a are implemented;
any deviations from established configuration settings for system components for which approval of deviations is needed are defined; are identified and documented based on operational requirements necessitating approval of deviations are defined;;
any deviations from established configuration settings for system components for which approval of deviations is needed are defined; are approved;
changes to the configuration settings are monitored in accordance with organizational policies and procedures;
changes to the configuration settings are controlled in accordance with organizational policies and procedures.
Configuration management policy
procedures addressing configuration settings for the system
configuration management plan
system design documentation
system configuration settings and associated documentation
common secure configuration checklists
system component inventory
evidence supporting approved deviations from established configuration settings
change control records
system data processing and retention permissions
system audit records
system security plan
privacy plan
other relevant documents or records
Organizational personnel with security configuration management responsibilities
organizational personnel with privacy configuration management responsibilities
organizational personnel with information security and privacy responsibilities
system/network administrators
Organizational processes for managing configuration settings
mechanisms that implement, monitor, and/or control system configuration settings
mechanisms that identify and/or document deviations from established configuration settings
CM-7: Least Functionality
Configure the system to provide only mission-essential capabilities for the system are defined; ; and
Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services.
Systems provide a wide variety of functions and services. Some of the functions and services routinely provided by default may not be necessary to support essential organizational missions, functions, or operations. Additionally, it is sometimes convenient to provide multiple services from a single system component, but doing so increases risk over limiting the services provided by that single component. Where feasible, organizations limit component functionality to a single function per component. Organizations consider removing unused or unnecessary software and disabling unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of components, transfer of information, and tunneling. Organizations employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services. Least functionality can also be achieved as part of the fundamental design and development of the system (see SA-8, SC-2 , and SC-3).
the system is configured to provide only mission-essential capabilities for the system are defined;;
the use of functions to be prohibited or restricted are defined; is prohibited or restricted;
the use of ports to be prohibited or restricted are defined; is prohibited or restricted;
the use of protocols to be prohibited or restricted are defined; is prohibited or restricted;
the use of software to be prohibited or restricted is defined; is prohibited or restricted;
the use of services to be prohibited or restricted are defined; is prohibited or restricted.
Configuration management policy
procedures addressing least functionality in the system
configuration management plan
system design documentation
system configuration settings and associated documentation
system component inventory
common secure configuration checklists
system security plan
other relevant documents or records
Organizational personnel with security configuration management responsibilities
organizational personnel with information security responsibilities
system/network administrators
system developers
Organizational processes prohibiting or restricting functions, ports, protocols, software, and/or services
mechanisms implementing restrictions or prohibition of functions, ports, protocols, software, and/or services
CM-8: System Component Inventory
Develop and document an inventory of system components that:
Accurately reflects the system;
Includes all components within the system;
Does not include duplicate accounting of components or components assigned to any other system;
Is at the level of granularity deemed necessary for tracking and reporting; and
Includes the following information to achieve system component accountability: information deemed necessary to achieve effective system component accountability is defined; ; and
Review and update the system component inventory frequency at which to review and update the system component inventory is defined;.
System components are discrete, identifiable information technology assets that include hardware, software, and firmware. Organizations may choose to implement centralized system component inventories that include components from all organizational systems. In such situations, organizations ensure that the inventories include system-specific information required for component accountability. The information necessary for effective accountability of system components includes the system name, software owners, software version numbers, hardware inventory specifications, software license information, and for networked components, the machine names and network addresses across all implemented protocols (e.g., IPv4, IPv6). Inventory specifications include date of receipt, cost, model, serial number, manufacturer, supplier information, component type, and physical location.
Preventing duplicate accounting of system components addresses the lack of accountability that occurs when component ownership and system association is not known, especially in large or complex connected systems. Effective prevention of duplicate accounting of system components necessitates use of a unique identifier for each component. For software inventory, centrally managed software that is accessed via other systems is addressed as a component of the system on which it is installed and managed. Software installed on multiple organizational systems and managed at the system level is addressed for each individual system and may appear more than once in a centralized component inventory, necessitating a system association for each software instance in the centralized inventory to avoid duplicate accounting of components. Scanning systems implementing multiple network protocols (e.g., IPv4 and IPv6) can result in duplicate components being identified in different address spaces. The implementation of CM-8(7) can help to eliminate duplicate accounting of components.
an inventory of system components that accurately reflects the system is developed and documented;
an inventory of system components that includes all components within the system is developed and documented;
an inventory of system components that does not include duplicate accounting of components or components assigned to any other system is developed and documented;
an inventory of system components that is at the level of granularity deemed necessary for tracking and reporting is developed and documented;
an inventory of system components that includes information deemed necessary to achieve effective system component accountability is defined; is developed and documented;
the system component inventory is reviewed and updated frequency at which to review and update the system component inventory is defined;.
Configuration management policy
procedures addressing system component inventory
configuration management plan
system security plan
system design documentation
system component inventory
inventory reviews and update records
system security plan
other relevant documents or records
Organizational personnel with component inventory management responsibilities
organizational personnel with information security responsibilities
system/network administrators
Organizational processes for managing the system component inventory
mechanisms supporting and/or implementing system component inventory
CM-10: Software Usage Restrictions
Use software and associated documentation in accordance with contract agreements and copyright laws;
Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Software license tracking can be accomplished by manual or automated methods, depending on organizational needs. Examples of contract agreements include software license agreements and non-disclosure agreements.
software and associated documentation are used in accordance with contract agreements and copyright laws;
the use of software and associated documentation protected by quantity licenses is tracked to control copying and distribution;
the use of peer-to-peer file sharing technology is controlled and documented to ensure that peer-to-peer file sharing is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Configuration management policy
software usage restrictions
software contract agreements and copyright laws
site license documentation
list of software usage restrictions
software license tracking reports
configuration management plan
system security plan
system security plan
other relevant documents or records
Organizational personnel operating, using, and/or maintaining the system
organizational personnel with software license management responsibilities
organizational personnel with information security responsibilities
system/network administrators
Organizational processes for tracking the use of software protected by quantity licenses
organizational processes for controlling/documenting the use of peer-to-peer file sharing technology
mechanisms implementing software license tracking
mechanisms implementing and controlling the use of peer-to-peer files sharing technology
CM-11: User-installed Software
Establish policies governing the installation of software by users are defined; governing the installation of software by users;
Enforce software installation policies through the following methods: methods used to enforce software installation policies are defined; ; and
Monitor policy compliance frequency with which to monitor compliance is defined;.
If provided the necessary privileges, users can install software in organizational systems. To maintain control over the software installed, organizations identify permitted and prohibited actions regarding software installation. Permitted software installations include updates and security patches to existing software and downloading new applications from organization-approved "app stores." Prohibited software installations include software with unknown or suspect pedigrees or software that organizations consider potentially malicious. Policies selected for governing user-installed software are organization-developed or provided by some external entity. Policy enforcement methods can include procedural methods and automated methods.
policies governing the installation of software by users are defined; governing the installation of software by users are established;
software installation policies are enforced through methods used to enforce software installation policies are defined;;
compliance with policies governing the installation of software by users are defined; is monitored frequency with which to monitor compliance is defined;.
Configuration management policy
procedures addressing user-installed software
configuration management plan
system security plan
system design documentation
system configuration settings and associated documentation
list of rules governing user installed software
system monitoring records
system audit records
continuous monitoring strategy
system security plan
other relevant documents or records
Organizational personnel with responsibilities for governing user-installed software
organizational personnel operating, using, and/or maintaining the system
organizational personnel monitoring compliance with user-installed software policy
organizational personnel with information security responsibilities
system/network administrators
Organizational processes governing user-installed software on the system
mechanisms enforcing policies and methods for governing the installation of software by users
mechanisms monitoring policy compliance