SPARC

Configuration Management

Catalog: Electronic (OSCAL) Version of NIST SP 800-53 Rev 5.2.0 Controls and SP 800-53A Rev 5.2.0 Assessment Procedures | Controls: 145

← Back to Catalog

Control ID

Title / Statement

Priority

Baseline Impact

CM-01

Policy and Procedures 9 params

a. Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}: 1. {{ insert: param, cm-01_odp.03 }} configuration management policy that: (a) Addresses purpose, scope, roles,...

► View parameters

Param ID	Label	Constraint / Choices
cm-1_prm_1	organization-defined personnel or roles	Organization-defined
cm-01_odp.01	personnel or roles	personnel or roles to whom the configuration management policy is to be disseminated is/are defined;
cm-01_odp.02	personnel or roles	personnel or roles to whom the configuration management procedures are to be disseminated is/are defined;
cm-01_odp.03		Select one-or-more: organization-level; mission/business process-level; system-level
cm-01_odp.04	official	an official to manage the configuration management policy and procedures is defined;
cm-01_odp.05	frequency	the frequency at which the current configuration management policy is reviewed and updated is defined;
cm-01_odp.06	events	events that would require the current configuration management policy to be reviewed and updated are defined;
cm-01_odp.07	frequency	the frequency at which the current configuration management procedures are reviewed and updated is defined;
cm-01_odp.08	events	events that would require configuration management procedures to be reviewed and updated are defined;

—

CM-02

Baseline Configuration 2 params

a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and b. Review and update the baseline configuration of the system: 1. {{ inse...

► View parameters

Param ID	Label	Constraint / Choices
cm-02_odp.01	frequency	the frequency of baseline configuration review and update is defined;
cm-02_odp.02	circumstances	the circumstances requiring baseline configuration review and update are defined;

—

CM-02(01)

Reviews and Updates

—

CM-02(02)

Automation Support for Accuracy and Currency 1 param

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using {{ insert: param, cm-02.02_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-02.02_odp	automated mechanisms	automated mechanisms for maintaining baseline configuration of the system are defined;

—

CM-02(03)

Retention of Previous Configurations 1 param

Retain {{ insert: param, cm-02.03_odp }} of previous versions of baseline configurations of the system to support rollback.

► View parameters

Param ID	Label	Constraint / Choices
cm-02.03_odp	number	the number of previous baseline configuration versions to be retained is defined;

—

CM-02(04)

Unauthorized Software

—

CM-02(05)

Authorized Software

—

CM-02(06)

Development and Test Environments

Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.

—

CM-02(07)

Configure Systems and Components for High-risk Areas 3 params

(a) Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} to individuals traveling to locations that the organization deems to be of significant risk; and (b) App...

► View parameters

Param ID	Label	Constraint / Choices
cm-02.07_odp.01	systems or system components	the systems or system components to be issued when individuals travel to high-risk areas are defined;
cm-02.07_odp.02	configurations	configurations for systems or system components to be issued when individuals travel to high-risk areas are defined;
cm-02.07_odp.03	controls	the controls to be applied when the individuals return from travel are defined;

—

CM-03

Configuration Change Control 5 params

a. Determine and document the types of changes to the system that are configuration-controlled; b. Review proposed configuration-controlled changes to the system and approve or disapprove such ...

► View parameters

Param ID	Label	Constraint / Choices
cm-03_odp.01	time period	the time period to retain records of configuration-controlled changes is defined;
cm-03_odp.02	configuration change control element	the configuration change control element responsible for coordinating and overseeing change control activities is def...
cm-03_odp.03		Select one-or-more: {{ insert: param, cm-03_odp.04 }} ; when {{ insert: param, cm-03_odp.05 }}
cm-03_odp.04	frequency	the frequency at which the configuration control element convenes is defined (if selected);
cm-03_odp.05	configuration change conditions	configuration change conditions that prompt the configuration control element to convene are defined (if selected);

—

CM-03(01)

Automated Documentation, Notification, and Prohibition of Changes 4 params

Use {{ insert: param, cm-03.01_odp.01 }} to: (a) Document proposed changes to the system; (b) Notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change ap...

► View parameters

Param ID	Label	Constraint / Choices
cm-03.01_odp.01	automated mechanisms	mechanisms used to automate configuration change control are defined;
cm-03.01_odp.02	approval authorities	approval authorities to be notified of and request approval for proposed changes to the system are defined;
cm-03.01_odp.03	time period	the time period after which to highlight changes that have not been approved or disapproved is defined;
cm-03.01_odp.04	personnel	personnel to be notified when approved changes are complete is/are defined;

—

CM-03(02)

Testing, Validation, and Documentation of Changes

Test, validate, and document changes to the system before finalizing the implementation of the changes.

—

CM-03(03)

Automated Change Implementation 1 param

Implement changes to the current system baseline and deploy the updated baseline across the installed base using {{ insert: param, cm-03.03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-03.03_odp	automated mechanisms	mechanisms used to automate the implementation of changes and deployment of the updated baseline across the installed...

—

CM-03(04)

Security and Privacy Representatives 4 params

Require {{ insert: param, cm-3.4_prm_1 }} to be members of the {{ insert: param, cm-03.04_odp.03 }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-3.4_prm_1	organization-defined security and privacy representatives	Organization-defined
cm-03.04_odp.01	security representatives	security representatives required to be members of the change control element are defined;
cm-03.04_odp.02	privacy representatives	privacy representatives required to be members of the change control element are defined;
cm-03.04_odp.03	configuration change control element	the configuration change control element of which the security and privacy representatives are to be members is defined;

—

CM-03(05)

Automated Security Response 1 param

Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: {{ insert: param, cm-03.05_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-03.05_odp	security responses	security responses to be automatically implemented are defined;

—

CM-03(06)

Cryptography Management 1 param

Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: {{ insert: param, cm-03.06_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-03.06_odp	controls	controls provided by cryptographic mechanisms that are to be under configuration management are defined;

—

CM-03(07)

Review System Changes 2 params

Review changes to the system {{ insert: param, cm-03.07_odp.01 }} or when {{ insert: param, cm-03.07_odp.02 }} to determine whether unauthorized changes have occurred.

► View parameters

Param ID	Label	Constraint / Choices
cm-03.07_odp.01	frequency	the frequency at which changes are to be reviewed is defined;
cm-03.07_odp.02	circumstances	the circumstances under which changes are to be reviewed are defined;

—

CM-03(08)

Prevent or Restrict Configuration Changes 1 param

Prevent or restrict changes to the configuration of the system under the following circumstances: {{ insert: param, cm-03.08_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-03.08_odp	circumstances	the circumstances under which changes are to be prevented or restricted are defined;

—

CM-04

Impact Analyses

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

—

CM-04(01)

Separate Test Environments

Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility,...

—

CM-04(02)

Verification of Controls

After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requireme...

—

CM-05

Access Restrictions for Change

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

—

CM-05(01)

Automated Access Enforcement and Audit Records 1 param

(a) Enforce access restrictions using {{ insert: param, cm-05.01_odp }} ; and (b) Automatically generate audit records of the enforcement actions.

► View parameters

Param ID	Label	Constraint / Choices
cm-05.01_odp	automated mechanisms	mechanisms used to automate the enforcement of access restrictions are defined;

—

CM-05(02)

Review System Changes

—

CM-05(03)

Signed Components

—

CM-05(04)

Dual Authorization 3 params

Enforce dual authorization for implementing changes to {{ insert: param, cm-5.4_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-5.4_prm_1	organization-defined system components and system-level information	Organization-defined
cm-05.04_odp.01	system components	system components requiring dual authorization for changes are defined;
cm-05.04_odp.02	system-level information	system-level information requiring dual authorization for changes is defined;

—

CM-05(05)

Privilege Limitation for Production and Operation 3 params

(a) Limit privileges to change system components and system-related information within a production or operational environment; and (b) Review and reevaluate privileges {{ insert: param, cm-5.5...

► View parameters

Param ID	Label	Constraint / Choices
cm-5.5_prm_1	organization-defined frequency	Organization-defined
cm-05.05_odp.01	frequency	frequency at which to review privileges is defined;
cm-05.05_odp.02	frequency	frequency at which to reevaluate privileges is defined;

—

CM-05(06)

Limit Library Privileges

Limit privileges to change software resident within software libraries.

—

CM-05(07)

Automatic Implementation of Security Safeguards

—

CM-06

Configuration Settings 3 params

a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using {{ insert: param, ...

► View parameters

Param ID	Label	Constraint / Choices
cm-06_odp.01	common secure configurations	common secure configurations to establish and document configuration settings for components employed within the syst...
cm-06_odp.02	system components	system components for which approval of deviations is needed are defined;
cm-06_odp.03	operational requirements	operational requirements necessitating approval of deviations are defined;

—

CM-06(01)

Automated Management, Application, and Verification 5 params

Manage, apply, and verify configuration settings for {{ insert: param, cm-06.01_odp.01 }} using {{ insert: param, cm-6.1_prm_2 }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-6.1_prm_2	organization-defined automated mechanisms	Organization-defined
cm-06.01_odp.01	system components	system components for which to manage, apply, and verify configuration settings are defined;
cm-06.01_odp.02	automated mechanisms	automated mechanisms to manage configuration settings are defined;
cm-06.01_odp.03	automated mechanisms	automated mechanisms to apply configuration settings are defined;
cm-06.01_odp.04	automated mechanisms	automated mechanisms to verify configuration settings are defined;

—

CM-06(02)

Respond to Unauthorized Changes 2 params

Take the following actions in response to unauthorized changes to {{ insert: param, cm-06.02_odp.02 }}: {{ insert: param, cm-06.02_odp.01 }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-06.02_odp.01	actions	actions to be taken upon an unauthorized change are defined;
cm-06.02_odp.02	configuration settings	configuration settings requiring action upon an unauthorized change are defined;

—

CM-06(03)

Unauthorized Change Detection

—

CM-06(04)

Conformance Demonstration

—

CM-07

Least Functionality 7 params

a. Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ inser...

► View parameters

Param ID	Label	Constraint / Choices
cm-7_prm_2	organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services	Organization-defined
cm-07_odp.01	mission-essential capabilities	mission-essential capabilities for the system are defined;
cm-07_odp.02	functions	functions to be prohibited or restricted are defined;
cm-07_odp.03	ports	ports to be prohibited or restricted are defined;
cm-07_odp.04	protocols	protocols to be prohibited or restricted are defined;
cm-07_odp.05	software	software to be prohibited or restricted is defined;
cm-07_odp.06	services	services to be prohibited or restricted are defined;

—

CM-07(01)

Periodic Review 7 params

(a) Review the system {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and (b) Disable or remove {{ insert: par...

► View parameters

Param ID	Label	Constraint / Choices
cm-7.1_prm_2	organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure	Organization-defined
cm-07.01_odp.01	frequency	the frequency at which to review the system to identify unnecessary and/or non-secure functions, ports, protocols, so...
cm-07.01_odp.02	functions	functions to be disabled or removed when deemed unnecessary or non-secure are defined;
cm-07.01_odp.03	ports	ports to be disabled or removed when deemed unnecessary or non-secure are defined;
cm-07.01_odp.04	protocols	protocols to be disabled or removed when deemed unnecessary or non-secure are defined;
cm-07.01_odp.05	software	software to be disabled or removed when deemed unnecessary or non-secure is defined;
cm-07.01_odp.06	services	services to be disabled or removed when deemed unnecessary or non-secure are defined;

—

CM-07(02)

Prevent Program Execution 2 params

Prevent program execution in accordance with {{ insert: param, cm-07.02_odp.01 }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-07.02_odp.01		Select one-or-more: {{ insert: param, cm-07.02_odp.02 }} ; rules authorizing the terms and conditions of software program usage
cm-07.02_odp.02	policies, rules of behavior, and/or access agreements regarding software program usage and restrictions	policies, rules of behavior, and/or access agreements regarding software program usage and restrictions are defined (...

—

CM-07(03)

Registration Compliance 1 param

Ensure compliance with {{ insert: param, cm-07.03_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-07.03_odp	registration requirements	registration requirements for functions, ports, protocols, and services are defined;

—

CM-07(04)

Unauthorized Software — Deny-by-exception 2 params

(a) Identify {{ insert: param, cm-07.04_odp.01 }}; (b) Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and (c) Review ...

► View parameters

Param ID	Label	Constraint / Choices
cm-07.04_odp.01	software programs	software programs not authorized to execute on the system are defined;
cm-07.04_odp.02	frequency	frequency at which to review and update the list of unauthorized software programs is defined;

—

CM-07(05)

Authorized Software — Allow-by-exception 2 params

(a) Identify {{ insert: param, cm-07.05_odp.01 }}; (b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and (c) Review and u...

► View parameters

Param ID	Label	Constraint / Choices
cm-07.05_odp.01	software programs	software programs authorized to execute on the system are defined;
cm-07.05_odp.02	frequency	frequency at which to review and update the list of authorized software programs is defined;

—

CM-07(06)

Confined Environments with Limited Privileges 1 param

Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: {{ insert: param, cm-07.06_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-07.06_odp	user-installed software	user-installed software required to be executed in a confined environment is defined;

—

CM-07(07)

Code Execution in Protected Environments 1 param

Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of {{ insert: param, cm-07.07_odp }} when such code is:...

► View parameters

Param ID	Label	Constraint / Choices
cm-07.07_odp	personnel or roles	personnel or roles to explicitly approve execution of binary or machine-executable code is/are defined;

—

CM-07(08)

Binary or Machine Executable Code

(a) Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and (b) Allow exceptions only for compelling mission ...

—

CM-07(09)

Prohibiting The Use of Unauthorized Hardware 2 params

(a) Identify {{ insert: param, cm-07.09_odp.01 }}; (b) Prohibit the use or connection of unauthorized hardware components; (c) Review and update the list of authorized hardware components {{ ...

► View parameters

Param ID	Label	Constraint / Choices
cm-07.09_odp.01	hardware components	hardware components authorized for system use are defined;
cm-07.09_odp.02	frequency	frequency at which to review and update the list of authorized hardware components is defined;

—

CM-08

System Component Inventory 2 params

a. Develop and document an inventory of system components that: 1. Accurately reflects the system; 2. Includes all components within the system; 3. Does not include duplicate accounti...

► View parameters

Param ID	Label	Constraint / Choices
cm-08_odp.01	information	information deemed necessary to achieve effective system component accountability is defined;
cm-08_odp.02	frequency	frequency at which to review and update the system component inventory is defined;

—

CM-08(01)

Updates During Installation and Removal

Update the inventory of system components as part of component installations, removals, and system updates.

—

CM-08(02)

Automated Maintenance 5 params

Maintain the currency, completeness, accuracy, and availability of the inventory of system components using {{ insert: param, cm-8.2_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-8.2_prm_1	organization-defined automated mechanisms	Organization-defined
cm-08.02_odp.01	automated mechanisms	automated mechanisms used to maintain the currency of the system component inventory are defined;
cm-08.02_odp.02	automated mechanisms	automated mechanisms used to maintain the completeness of the system component inventory are defined;
cm-08.02_odp.03	automated mechanisms	automated mechanisms used to maintain the accuracy of the system component inventory are defined;
cm-08.02_odp.04	automated mechanisms	automated mechanisms used to maintain the availability of the system component inventory are defined;

—

CM-08(03)

Automated Unauthorized Component Detection 7 params

(a) Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ insert: param, cm-8.3_prm_1 }} {{ insert: param, cm-08.03_odp.04 }} ; and (b) Take...

► View parameters

Param ID	Label	Constraint / Choices
cm-8.3_prm_1	organization-defined automated mechanisms	Organization-defined
cm-08.03_odp.01	automated mechanisms	automated mechanisms used to detect the presence of unauthorized hardware within the system are defined;
cm-08.03_odp.02	automated mechanisms	automated mechanisms used to detect the presence of unauthorized software within the system are defined;
cm-08.03_odp.03	automated mechanisms	automated mechanisms used to detect the presence of unauthorized firmware within the system are defined;
cm-08.03_odp.04	frequency	frequency at which automated mechanisms are used to detect the presence of unauthorized system components within the ...
cm-08.03_odp.05		Select one-or-more: disable network access by unauthorized components; isolate unauthorized components; notify {{ insert: param, cm-08.03_odp.06 }}
cm-08.03_odp.06	personnel or roles	personnel or roles to be notified when unauthorized components are detected is/are defined (if selected);

—

CM-08(04)

Accountability Information 1 param

Include in the system component inventory information, a means for identifying by {{ insert: param, cm-08.04_odp }} , individuals responsible and accountable for administering those components.

► View parameters

Param ID	Label	Constraint / Choices
cm-08.04_odp		Select one-or-more: name; position; role

—

CM-08(05)

No Duplicate Accounting of Components

—

CM-08(06)

Assessed Configurations and Approved Deviations

Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.

—

CM-08(07)

Centralized Repository

Provide a centralized repository for the inventory of system components.

—

CM-08(08)

Automated Location Tracking 1 param

Support the tracking of system components by geographic location using {{ insert: param, cm-08.08_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-08.08_odp	automated mechanisms	automated mechanisms for tracking components are defined;

—

CM-08(09)

Assignment of Components to Systems 1 param

(a) Assign system components to a system; and (b) Receive an acknowledgement from {{ insert: param, cm-08.09_odp }} of this assignment.

► View parameters

Param ID	Label	Constraint / Choices
cm-08.09_odp	personnel or roles	personnel or roles from which to receive an acknowledgement is/are defined;

—

CM-09

Configuration Management Plan 1 param

Develop, document, and implement a configuration management plan for the system that: a. Addresses roles, responsibilities, and configuration management processes and procedures; b. Establishes...

► View parameters

Param ID	Label	Constraint / Choices
cm-09_odp	personnel or roles	personnel or roles to review and approve the configuration management plan is/are defined;

—

CM-09(01)

Assignment of Responsibility

Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.

—

CM-10

Software Usage Restrictions

a. Use software and associated documentation in accordance with contract agreements and copyright laws; b. Track the use of software and associated documentation protected by quantity licenses ...

—

CM-10(01)

Open-source Software 1 param

Establish the following restrictions on the use of open-source software: {{ insert: param, cm-10.01_odp }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-10.01_odp	restrictions	restrictions on the use of open-source software are defined;

—

└ cm-10a

Use software and associated documentation in accordance with contract agreements and copyright laws;

—

└ cm-10b

Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

—

└ cm-10c

Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, ...

—

CM-11

User-installed Software 3 params

a. Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users; b. Enforce software installation policies through the following methods: {{ insert: param, cm-11_...

► View parameters

Param ID	Label	Constraint / Choices
cm-11_odp.01	policies	policies governing the installation of software by users are defined;
cm-11_odp.02	methods	methods used to enforce software installation policies are defined;
cm-11_odp.03	frequency	frequency with which to monitor compliance is defined;

—

CM-11(01)

Alerts for Unauthorized Installations

—

CM-11(02)

Software Installation with Privileged Status

Allow user installation of software only with explicit privileged status.

—

CM-11(03)

Automated Enforcement and Monitoring 3 params

Enforce and monitor compliance with software installation policies using {{ insert: param, cm-11.3_prm_1 }}.

► View parameters

Param ID	Label	Constraint / Choices
cm-11.3_prm_1	organization-defined automated mechanisms	Organization-defined
cm-11.03_odp.01	automated mechanisms	automated mechanisms used to enforce compliance are defined;
cm-11.03_odp.02	automated mechanisms	automated mechanisms used to monitor compliance are defined;

—

└ cm-11a

Establish {{ insert: param, cm-11_odp.01 }} governing the installation of software by users;

—

└ cm-11b

Enforce software installation policies through the following methods: {{ insert: param, cm-11_odp.02 }} ; and

—

└ cm-11c

Monitor policy compliance {{ insert: param, cm-11_odp.03 }}.

—

CM-12

Information Location 1 param

a. Identify and document the location of {{ insert: param, cm-12_odp }} and the specific system components on which the information is processed and stored; b. Identify and document the users w...

► View parameters

Param ID	Label	Constraint / Choices
cm-12_odp	information	information for which the location is to be identified and documented is defined;

—

CM-12(01)

Automated Tools to Support Information Location 2 params

Use automated tools to identify {{ insert: param, cm-12.01_odp.01 }} on {{ insert: param, cm-12.01_odp.02 }} to ensure controls are in place to protect organizational information and individual pri...

► View parameters

Param ID	Label	Constraint / Choices
cm-12.01_odp.01	information by information type	information to be protected is defined by information type;
cm-12.01_odp.02	system components	system components where the information is located are defined;

—

└ cm-12a

Identify and document the location of {{ insert: param, cm-12_odp }} and the specific system components on which the information is processed and s...

—

└ cm-12b

Identify and document the users who have access to the system and system components where the information is processed and stored; and

—

└ cm-12c

Document changes to the location (i.e., system or system components) where the information is processed and stored.

—

CM-13

Data Action Mapping

Develop and document a map of system data actions.

—

CM-14

Signed Components 3 params

Prevent the installation of {{ insert: param, cm-14_prm_1 }} without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

► View parameters

Param ID	Label	Constraint / Choices
cm-14_prm_1	organization-defined software and firmware components	Organization-defined
cm-14_odp.01	software components	software components requiring verification of a digitally signed certificate before installation are defined;
cm-14_odp.02	firmware components	firmware components requiring verification of a digitally signed certificate before installation are defined;

—

└ cm-1a

Develop, document, and disseminate to {{ insert: param, cm-1_prm_1 }}:

—

└ cm-1a.1

{{ insert: param, cm-01_odp.03 }} configuration management policy that:

—

└ cm-1a.1.(a)

Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

—

└ cm-1a.1.(b)

Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

—

└ cm-1a.2

Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;

—

└ cm-1b

Designate an {{ insert: param, cm-01_odp.04 }} to manage the development, documentation, and dissemination of the configuration management policy a...

—

└ cm-1c

Review and update the current configuration management:

—

└ cm-1c.1

Policy {{ insert: param, cm-01_odp.05 }} and following {{ insert: param, cm-01_odp.06 }} ; and

—

└ cm-1c.2

Procedures {{ insert: param, cm-01_odp.07 }} and following {{ insert: param, cm-01_odp.08 }}.

—

└ cm-2.7.(a)

Issue {{ insert: param, cm-02.07_odp.01 }} with {{ insert: param, cm-02.07_odp.02 }} to individuals traveling to locations that the organization de...

—

└ cm-2.7.(b)

Apply the following controls to the systems or components when the individuals return from travel: {{ insert: param, cm-02.07_odp.03 }}.

—

└ cm-2a

Develop, document, and maintain under configuration control, a current baseline configuration of the system; and

—

└ cm-2b

Review and update the baseline configuration of the system:

—

└ cm-2b.1

{{ insert: param, cm-02_odp.01 }};

—

└ cm-2b.2

When required due to {{ insert: param, cm-02_odp.02 }} ; and

—

└ cm-2b.3

When system components are installed or upgraded.

—

└ cm-3.1.(a)

Document proposed changes to the system;

—

└ cm-3.1.(b)

Notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval;

—

└ cm-3.1.(c)

Highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }};

—

└ cm-3.1.(d)

Prohibit changes to the system until designated approvals are received;

—

└ cm-3.1.(e)

Document all changes to the system; and

—

└ cm-3.1.(f)

Notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed.

—

└ cm-3a

Determine and document the types of changes to the system that are configuration-controlled;

—

└ cm-3b

Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and ...

—

└ cm-3c

Document configuration change decisions associated with the system;

—

└ cm-3d

Implement approved configuration-controlled changes to the system;

—

└ cm-3e

Retain records of configuration-controlled changes to the system for {{ insert: param, cm-03_odp.01 }};

—

└ cm-3f

Monitor and review activities associated with configuration-controlled changes to the system; and

—

└ cm-3g

Coordinate and provide oversight for configuration change control activities through {{ insert: param, cm-03_odp.02 }} that convenes {{ insert: par...

—

└ cm-5.1.(a)

Enforce access restrictions using {{ insert: param, cm-05.01_odp }} ; and

—

└ cm-5.1.(b)

Automatically generate audit records of the enforcement actions.

—

└ cm-5.5.(a)

Limit privileges to change system components and system-related information within a production or operational environment; and

—

└ cm-5.5.(b)

Review and reevaluate privileges {{ insert: param, cm-5.5_prm_1 }}.

—

└ cm-6a

Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with oper...

—

└ cm-6b

Implement the configuration settings;

—

└ cm-6c

Identify, document, and approve any deviations from established configuration settings for {{ insert: param, cm-06_odp.02 }} based on {{ insert: pa...

—

└ cm-6d

Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

—

└ cm-7.1.(a)

Review the system {{ insert: param, cm-07.01_odp.01 }} to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services...

—

└ cm-7.1.(b)

Disable or remove {{ insert: param, cm-7.1_prm_2 }}.

—

└ cm-7.4.(a)

Identify {{ insert: param, cm-07.04_odp.01 }};

—

└ cm-7.4.(b)

Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and

—

└ cm-7.4.(c)

Review and update the list of unauthorized software programs {{ insert: param, cm-07.04_odp.02 }}.

—

└ cm-7.5.(a)

Identify {{ insert: param, cm-07.05_odp.01 }};

—

└ cm-7.5.(b)

Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and

—

└ cm-7.5.(c)

Review and update the list of authorized software programs {{ insert: param, cm-07.05_odp.02 }}.

—

└ cm-7.7.(a)

Obtained from sources with limited or no warranty; and/or

—

└ cm-7.7.(b)

Without the provision of source code.

—

└ cm-7.8.(a)

Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and

—

└ cm-7.8.(b)

Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official.

—

└ cm-7.9.(a)

Identify {{ insert: param, cm-07.09_odp.01 }};

—

└ cm-7.9.(b)

Prohibit the use or connection of unauthorized hardware components;

—

└ cm-7.9.(c)

Review and update the list of authorized hardware components {{ insert: param, cm-07.09_odp.02 }}.

—

└ cm-7a

Configure the system to provide only {{ insert: param, cm-07_odp.01 }} ; and

—

└ cm-7b

Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: {{ insert: param, cm-7_prm_2 }}.

—

└ cm-8.3.(a)

Detect the presence of unauthorized hardware, software, and firmware components within the system using {{ insert: param, cm-8.3_prm_1 }} {{ insert...

—

└ cm-8.3.(b)

Take the following actions when unauthorized components are detected: {{ insert: param, cm-08.03_odp.05 }}.

—

└ cm-8.9.(a)

Assign system components to a system; and

—

└ cm-8.9.(b)

Receive an acknowledgement from {{ insert: param, cm-08.09_odp }} of this assignment.

—

└ cm-8a

Develop and document an inventory of system components that:

—

└ cm-8a.1

Accurately reflects the system;

—

└ cm-8a.2

Includes all components within the system;

—

└ cm-8a.3

Does not include duplicate accounting of components or components assigned to any other system;

—

└ cm-8a.4

Is at the level of granularity deemed necessary for tracking and reporting; and

—

└ cm-8a.5

Includes the following information to achieve system component accountability: {{ insert: param, cm-08_odp.01 }} ; and

—

└ cm-8b

Review and update the system component inventory {{ insert: param, cm-08_odp.02 }}.

—

└ cm-9a

Addresses roles, responsibilities, and configuration management processes and procedures;

—

└ cm-9b

Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the co...

—

└ cm-9c

Defines the configuration items for the system and places the configuration items under configuration management;

—

└ cm-9d

Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and

—

└ cm-9e

Protects the configuration management plan from unauthorized disclosure and modification.

—