SPARC

Configuration Management

Catalog: NIST Special Publication 800-53 Revision 4: Security and Privacy Controls for Federal Information Systems and Organizations | Controls: 115

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

CM-1

Configuration Management Policy and Procedures 3 params

The organization: a. Develops, documents, and disseminates to {{ insert: param, cm-1_prm_1 }}: 1. A configuration management policy that addresses purpose, scope, roles, responsibilities, man...

► View parameters

Param ID	Label	Constraint / Choices
cm-1_prm_1	organization-defined personnel or roles	Organization-defined
cm-1_prm_2	organization-defined frequency	Organization-defined
cm-1_prm_3	organization-defined frequency	Organization-defined

—

CM-2

Baseline Configuration 2 params

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

► View parameters

Param ID	Label	Constraint / Choices
cm-02_odp.01	frequency	the frequency of baseline configuration review and update is defined;
cm-02_odp.02	circumstances	the circumstances requiring baseline configuration review and update are defined;

—

CM-2(1)

Reviews and Updates 2 params

The organization reviews and updates the baseline configuration of the information system: (a) {{ insert: param, cm-2.1_prm_1 }}; (b) When required due to {{ insert: param, cm-2.1_prm_2 }}; and...

► View parameters

Param ID	Label	Constraint / Choices
cm-2.1_prm_1	organization-defined frequency	Organization-defined
cm-2.1_prm_2	Assignment organization-defined circumstances	Organization-defined

—

CM-2(2)

Automation Support for Accuracy / Currency

The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

—

CM-2(3)

Retention of Previous Configurations 1 param

The organization retains {{ insert: param, cm-2.3_prm_1 }} to support rollback.

► View parameters

Param ID	Label	Constraint / Choices
cm-2.3_prm_1	organization-defined previous versions of baseline configurations of the information system	Organization-defined

—

CM-2(4)

Unauthorized Software

—

CM-2(5)

Authorized Software

—

CM-2(6)

Development and Test Environments

The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.

—

CM-2(7)

Configure Systems, Components, or Devices for High-risk Areas 3 params

The organization: (a) Issues {{ insert: param, cm-2.7_prm_1 }} with {{ insert: param, cm-2.7_prm_2 }} to individuals traveling to locations that the organization deems to be of significant risk; ...

► View parameters

Param ID	Label	Constraint / Choices
cm-2.7_prm_1	organization-defined information systems, system components, or devices	Organization-defined
cm-2.7_prm_2	organization-defined configurations	Organization-defined
cm-2.7_prm_3	organization-defined security safeguards	Organization-defined

—

CM-3

Configuration Change Control 5 params

The organization: a. Determines the types of changes to the information system that are configuration-controlled; b. Reviews proposed configuration-controlled changes to the information system ...

► View parameters

Param ID	Label	Constraint / Choices
cm-3_prm_1	organization-defined time period	Organization-defined
cm-3_prm_2	organization-defined configuration change control element (e.g., committee, board)	Organization-defined
cm-3_prm_3		Select one-or-more: {{ insert: param, cm-3_prm_4 }} ; {{ insert: param, cm-3_prm_5 }}
cm-3_prm_4	organization-defined frequency	Organization-defined
cm-3_prm_5	organization-defined configuration change conditions	Organization-defined

—

CM-3(1)

Automated Document / Notification / Prohibition of Changes 3 params

The organization employs automated mechanisms to: (a) Document proposed changes to the information system; (b) Notify {{ insert: param, cm-3.1_prm_1 }} of proposed changes to the information sy...

► View parameters

Param ID	Label	Constraint / Choices
cm-3.1_prm_1	organized-defined approval authorities	Organization-defined
cm-3.1_prm_2	organization-defined time period	Organization-defined
cm-3.1_prm_3	organization-defined personnel	Organization-defined

—

CM-3(2)

Test / Validate / Document Changes

The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.

—

CM-3(3)

Automated Change Implementation

The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base.

—

CM-3(4)

Security Representative 1 param

The organization requires an information security representative to be a member of the {{ insert: param, cm-3.4_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-3.4_prm_1	organization-defined configuration change control element	Organization-defined

—

CM-3(5)

Automated Security Response 1 param

The information system implements {{ insert: param, cm-3.5_prm_1 }} automatically if baseline configurations are changed in an unauthorized manner.

► View parameters

Param ID	Label	Constraint / Choices
cm-3.5_prm_1	organization-defined security responses	Organization-defined

—

CM-3(6)

Cryptography Management 1 param

The organization ensures that cryptographic mechanisms used to provide {{ insert: param, cm-3.6_prm_1 }} are under configuration management.

► View parameters

Param ID	Label	Constraint / Choices
cm-3.6_prm_1	organization-defined security safeguards	Organization-defined

—

CM-4

Security Impact Analysis

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

—

CM-4(1)

Separate Test Environments

The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses...

—

CM-4(2)

Verification of Security Functions

The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired out...

—

CM-5

Access Restrictions for Change

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

—

CM-5(1)

Automated Access Enforcement / Auditing

The information system enforces access restrictions and supports auditing of the enforcement actions.

—

CM-5(2)

Review System Changes 2 params

The organization reviews information system changes {{ insert: param, cm-5.2_prm_1 }} and {{ insert: param, cm-5.2_prm_2 }} to determine whether unauthorized changes have occurred.

► View parameters

Param ID	Label	Constraint / Choices
cm-5.2_prm_1	organization-defined frequency	Organization-defined
cm-5.2_prm_2	organization-defined circumstances	Organization-defined

—

CM-5(3)

Signed Components 1 param

The information system prevents the installation of {{ insert: param, cm-5.3_prm_1 }} without verification that the component has been digitally signed using a certificate that is recognized and ap...

► View parameters

Param ID	Label	Constraint / Choices
cm-5.3_prm_1	organization-defined software and firmware components	Organization-defined

—

CM-5(4)

Dual Authorization 1 param

The organization enforces dual authorization for implementing changes to {{ insert: param, cm-5.4_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-5.4_prm_1	organization-defined information system components and system-level information	Organization-defined

—

CM-5(5)

Limit Production / Operational Privileges 1 param

The organization: (a) Limits privileges to change information system components and system-related information within a production or operational environment; and (b) Reviews and reevaluates pr...

► View parameters

Param ID	Label	Constraint / Choices
cm-5.5_prm_1	organization-defined frequency	Organization-defined

—

CM-5(6)

Limit Library Privileges

The organization limits privileges to change software resident within software libraries.

—

CM-5(7)

Automatic Implementation of Security Safeguards

—

CM-6

Configuration Settings 3 params

The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using {{ insert: param, cm-6_prm_1 }} that reflect...

► View parameters

Param ID	Label	Constraint / Choices
cm-6_prm_1	organization-defined security configuration checklists	Organization-defined
cm-6_prm_2	organization-defined information system components	Organization-defined
cm-6_prm_3	organization-defined operational requirements	Organization-defined

—

CM-6(1)

Automated Central Management / Application / Verification 1 param

The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for {{ insert: param, cm-6.1_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-6.1_prm_1	organization-defined information system components	Organization-defined

—

CM-6(2)

Respond to Unauthorized Changes 2 params

The organization employs {{ insert: param, cm-6.2_prm_1 }} to respond to unauthorized changes to {{ insert: param, cm-6.2_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-6.2_prm_1	organization-defined security safeguards	Organization-defined
cm-6.2_prm_2	organization-defined configuration settings	Organization-defined

—

CM-6(3)

Unauthorized Change Detection

—

CM-6(4)

Conformance Demonstration

—

CM-7

Least Functionality 1 param

The organization: a. Configures the information system to provide only essential capabilities; and b. Prohibits or restricts the use of the following functions, ports, protocols, and/or service...

► View parameters

Param ID	Label	Constraint / Choices
cm-7_prm_1	organization-defined prohibited or restricted functions, ports, protocols, and/or services	Organization-defined

—

CM-7(1)

Periodic Review 2 params

The organization: (a) Reviews the information system {{ insert: param, cm-7.1_prm_1 }} to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and (b) Disables {{ in...

► View parameters

Param ID	Label	Constraint / Choices
cm-7.1_prm_1	organization-defined frequency	Organization-defined
cm-7.1_prm_2	organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure	Organization-defined

—

CM-7(2)

Prevent Program Execution 2 params

The information system prevents program execution in accordance with {{ insert: param, cm-7.2_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-7.2_prm_1		Select one-or-more: {{ insert: param, cm-7.2_prm_2 }} ; rules authorizing the terms and conditions of software program usage
cm-7.2_prm_2	organization-defined policies regarding software program usage and restrictions	Organization-defined

—

CM-7(3)

Registration Compliance 1 param

The organization ensures compliance with {{ insert: param, cm-7.3_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-7.3_prm_1	organization-defined registration requirements for functions, ports, protocols, and services	Organization-defined

—

CM-7(4)

Unauthorized Software / Blacklisting 2 params

The organization: (a) Identifies {{ insert: param, cm-7.4_prm_1 }}; (b) Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the informa...

► View parameters

Param ID	Label	Constraint / Choices
cm-7.4_prm_1	organization-defined software programs not authorized to execute on the information system	Organization-defined
cm-7.4_prm_2	organization-defined frequency	Organization-defined

—

CM-7(5)

Authorized Software / Whitelisting 2 params

The organization: (a) Identifies {{ insert: param, cm-7.5_prm_1 }}; (b) Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information ...

► View parameters

Param ID	Label	Constraint / Choices
cm-7.5_prm_1	organization-defined software programs authorized to execute on the information system	Organization-defined
cm-7.5_prm_2	organization-defined frequency	Organization-defined

—

CM-8

Information System Component Inventory 2 params

The organization: a. Develops and documents an inventory of information system components that: 1. Accurately reflects the current information system; 2. Includes all components within th...

► View parameters

Param ID	Label	Constraint / Choices
cm-8_prm_1	organization-defined information deemed necessary to achieve effective information system component accountability	Organization-defined
cm-8_prm_2	organization-defined frequency	Organization-defined

—

CM-8(1)

Updates During Installations / Removals

The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

—

CM-8(2)

Automated Maintenance

The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

—

CM-8(3)

Automated Unauthorized Component Detection 3 params

The organization: (a) Employs automated mechanisms {{ insert: param, cm-8.3_prm_1 }} to detect the presence of unauthorized hardware, software, and firmware components within the information syst...

► View parameters

Param ID	Label	Constraint / Choices
cm-8.3_prm_1	organization-defined frequency	Organization-defined
cm-8.3_prm_2		Select one-or-more: disables network access by such components; isolates the components; notifies {{ insert: param, cm-8.3_prm_3 }}
cm-8.3_prm_3	organization-defined personnel or roles	Organization-defined

—

CM-8(4)

Accountability Information 1 param

The organization includes in the information system component inventory information, a means for identifying by {{ insert: param, cm-8.4_prm_1 }}, individuals responsible/accountable for administer...

► View parameters

Param ID	Label	Constraint / Choices
cm-8.4_prm_1		Select one-or-more: name; position; role

—

CM-8(5)

No Duplicate Accounting of Components

The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.

—

CM-8(6)

Assessed Configurations / Approved Deviations

The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.

—

CM-8(7)

Centralized Repository

The organization provides a centralized repository for the inventory of information system components.

—

CM-8(8)

Automated Location Tracking

The organization employs automated mechanisms to support tracking of information system components by geographic location.

—

CM-8(9)

Assignment of Components to Systems 1 param

The organization: (a) Assigns {{ insert: param, cm-8.9_prm_1 }} to an information system; and (b) Receives an acknowledgement from the information system owner of this assignment.

► View parameters

Param ID	Label	Constraint / Choices
cm-8.9_prm_1	organization-defined acquired information system components	Organization-defined

—

CM-9

Configuration Management Plan

The organization develops, documents, and implements a configuration management plan for the information system that: a. Addresses roles, responsibilities, and configuration management processes ...

—

CM-9(1)

Assignment of Responsibility

The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development.

—

CM-10

Software Usage Restrictions

The organization: a. Uses software and associated documentation in accordance with contract agreements and copyright laws; b. Tracks the use of software and associated documentation protected b...

—

CM-10(1)

Open Source Software 1 param

The organization establishes the following restrictions on the use of open source software: {{ insert: param, cm-10.1_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-10.1_prm_1	organization-defined restrictions	Organization-defined

—

└ cm-10a

Uses software and associated documentation in accordance with contract agreements and copyright laws;

—

└ cm-10b

Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

—

└ cm-10c

Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution...

—

CM-11

User-installed Software 3 params

The organization: a. Establishes {{ insert: param, cm-11_prm_1 }} governing the installation of software by users; b. Enforces software installation policies through {{ insert: param, cm-11_prm...

► View parameters

Param ID	Label	Constraint / Choices
cm-11_prm_1	organization-defined policies	Organization-defined
cm-11_prm_2	organization-defined methods	Organization-defined
cm-11_prm_3	organization-defined frequency	Organization-defined

—

CM-11(1)

Alerts for Unauthorized Installations 1 param

The information system alerts {{ insert: param, cm-11.1_prm_1 }} when the unauthorized installation of software is detected.

► View parameters

Param ID	Label	Constraint / Choices
cm-11.1_prm_1	organization-defined personnel or roles	Organization-defined

—

CM-11(2)

Prohibit Installation Without Privileged Status

The information system prohibits user installation of software without explicit privileged status.

—

└ cm-11a

Establishes {{ insert: param, cm-11_prm_1 }} governing the installation of software by users;

—

└ cm-11b

Enforces software installation policies through {{ insert: param, cm-11_prm_2 }}; and

—

└ cm-11c

Monitors policy compliance at {{ insert: param, cm-11_prm_3 }}.

—

└ cm-1a

Develops, documents, and disseminates to {{ insert: param, cm-1_prm_1 }}:

—

└ cm-1a.1

A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational ...

—

└ cm-1a.2

Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and

—

└ cm-1b

Reviews and updates the current:

—

└ cm-1b.1

Configuration management policy {{ insert: param, cm-1_prm_2 }}; and

—

└ cm-1b.2

Configuration management procedures {{ insert: param, cm-1_prm_3 }}.

—

└ cm-2.1.(a)

{{ insert: param, cm-2.1_prm_1 }};

—

└ cm-2.1.(b)

When required due to {{ insert: param, cm-2.1_prm_2 }}; and

—

└ cm-2.1.(c)

As an integral part of information system component installations and upgrades.

—

└ cm-2.7.(a)

Issues {{ insert: param, cm-2.7_prm_1 }} with {{ insert: param, cm-2.7_prm_2 }} to individuals traveling to locations that the organization deems t...

—

└ cm-2.7.(b)

Applies {{ insert: param, cm-2.7_prm_3 }} to the devices when the individuals return.

—

└ cm-3.1.(a)

Document proposed changes to the information system;

—

└ cm-3.1.(b)

Notify {{ insert: param, cm-3.1_prm_1 }} of proposed changes to the information system and request change approval;

—

└ cm-3.1.(c)

Highlight proposed changes to the information system that have not been approved or disapproved by {{ insert: param, cm-3.1_prm_2 }};

—

└ cm-3.1.(d)

Prohibit changes to the information system until designated approvals are received;

—

└ cm-3.1.(e)

Document all changes to the information system; and

—

└ cm-3.1.(f)

Notify {{ insert: param, cm-3.1_prm_3 }} when approved changes to the information system are completed.

—

└ cm-3a

Determines the types of changes to the information system that are configuration-controlled;

—

└ cm-3b

Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration fo...

—

└ cm-3c

Documents configuration change decisions associated with the information system;

—

└ cm-3d

Implements approved configuration-controlled changes to the information system;

—

└ cm-3e

Retains records of configuration-controlled changes to the information system for {{ insert: param, cm-3_prm_1 }};

—

└ cm-3f

Audits and reviews activities associated with configuration-controlled changes to the information system; and

—

└ cm-3g

Coordinates and provides oversight for configuration change control activities through {{ insert: param, cm-3_prm_2 }} that convenes {{ insert: par...

—

└ cm-5.5.(a)

Limits privileges to change information system components and system-related information within a production or operational environment; and

—

└ cm-5.5.(b)

Reviews and reevaluates privileges {{ insert: param, cm-5.5_prm_1 }}.

—

└ cm-6a

Establishes and documents configuration settings for information technology products employed within the information system using {{ insert: param,...

—

└ cm-6b

Implements the configuration settings;

—

└ cm-6c

Identifies, documents, and approves any deviations from established configuration settings for {{ insert: param, cm-6_prm_2 }} based on {{ insert: ...

—

└ cm-6d

Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

—

└ cm-7.1.(a)

Reviews the information system {{ insert: param, cm-7.1_prm_1 }} to identify unnecessary and/or nonsecure functions, ports, protocols, and services...

—

└ cm-7.1.(b)

Disables {{ insert: param, cm-7.1_prm_2 }}.

—

└ cm-7.4.(a)

Identifies {{ insert: param, cm-7.4_prm_1 }};

—

└ cm-7.4.(b)

Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and

—

└ cm-7.4.(c)

Reviews and updates the list of unauthorized software programs {{ insert: param, cm-7.4_prm_2 }}.

—

└ cm-7.5.(a)

Identifies {{ insert: param, cm-7.5_prm_1 }};

—

└ cm-7.5.(b)

Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and

—

└ cm-7.5.(c)

Reviews and updates the list of authorized software programs {{ insert: param, cm-7.5_prm_2 }}.

—

└ cm-7a

Configures the information system to provide only essential capabilities; and

—

└ cm-7b

Prohibits or restricts the use of the following functions, ports, protocols, and/or services: {{ insert: param, cm-7_prm_1 }}.

—

└ cm-8.3.(a)

Employs automated mechanisms {{ insert: param, cm-8.3_prm_1 }} to detect the presence of unauthorized hardware, software, and firmware components w...

—

└ cm-8.3.(b)

Takes the following actions when unauthorized components are detected: {{ insert: param, cm-8.3_prm_2 }}.

—

└ cm-8.9.(a)

Assigns {{ insert: param, cm-8.9_prm_1 }} to an information system; and

—

└ cm-8.9.(b)

Receives an acknowledgement from the information system owner of this assignment.

—

└ cm-8a

Develops and documents an inventory of information system components that:

—

└ cm-8a.1

Accurately reflects the current information system;

—

└ cm-8a.2

Includes all components within the authorization boundary of the information system;

—

└ cm-8a.3

Is at the level of granularity deemed necessary for tracking and reporting; and

—

└ cm-8a.4

Includes {{ insert: param, cm-8_prm_1 }}; and

—

└ cm-8b

Reviews and updates the information system component inventory {{ insert: param, cm-8_prm_2 }}.

—

└ cm-9a

Addresses roles, responsibilities, and configuration management processes and procedures;

—

└ cm-9b

Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the co...

—

└ cm-9c

Defines the configuration items for the information system and places the configuration items under configuration management; and

—

└ cm-9d

Protects the configuration management plan from unauthorized disclosure and modification.

—