Configuration Management (CM)¶

• a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
  • 1. [Selection: one or more of: organization-level; mission/business process-level; system-level] configuration management policy that:
    • (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    • (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • 2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;
• b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and
• c. Review and update the current configuration management:
  • 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  • 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

External Link for Additional Information: myctrl.tools

• a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and
• b. Review and update the baseline configuration of the system:
  • 1. [Assignment: organization-defined frequency];
  • 2. When required due to [Assignment: organization-defined circumstances]; and
  • 3. When system components are installed or upgraded.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
• (b) Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Determine and document the types of changes to the system that are configuration-controlled;
• b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;
• c. Document configuration change decisions associated with the system;
• d. Implement approved configuration-controlled changes to the system;
• e. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period];
• f. Monitor and review activities associated with configuration-controlled changes to the system; and
• g. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection: one or more of: when].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Use [Assignment: organization-defined automated mechanisms] to:

• (a) Document proposed changes to the system;
• (b) Notify [Assignment: organization-defined approval authorities] of proposed changes to the system and request change approval;
• (c) Highlight proposed changes to the system that have not been approved or disapproved within [Assignment: organization-defined time period];
• (d) Prohibit changes to the system until designated approvals are received;
• (e) Document all changes to the system; and
• (f) Notify [Assignment: organization-defined personnel] when approved changes to the system are completed.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Test, validate, and document changes to the system before finalizing the implementation of the changes.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: [Assignment: organization-defined security responses].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [Assignment: organization-defined controls].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Review changes to the system [Assignment: organization-defined frequency] or when [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; and
• (b) Automatically generate audit records of the enforcement actions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce dual authorization for implementing changes to [Assignment: organization-defined system components and system-level information].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Limit privileges to change system components and system-related information within a production or operational environment; and
• (b) Review and reevaluate privileges [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Limit privileges to change software resident within software libraries.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];
• b. Implement the configuration settings;
• c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and
• d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Configure the system to provide only [Assignment: organization-defined mission-essential capabilities]; and
• b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Review the system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and
• (b) Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Prevent program execution in accordance with [Selection: one or more of: rules authorizing the terms and conditions of software program usage].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Ensure compliance with [Assignment: organization-defined registration requirements].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Identify [Assignment: organization-defined software programs];
• (b) Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and
• (c) Review and update the list of unauthorized software programs [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Identify [Assignment: organization-defined software programs];
• (b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and
• (c) Review and update the list of authorized software programs [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: [Assignment: organization-defined user-installed software].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles] when such code is:

• (a) Obtained from sources with limited or no warranty; and/or
• (b) Without the provision of source code.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and
• (b) Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Identify [Assignment: organization-defined hardware components];
• (b) Prohibit the use or connection of unauthorized hardware components;
• (c) Review and update the list of authorized hardware components [Assignment: organization-defined frequency].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Develop and document an inventory of system components that:
  • 1. Accurately reflects the system;
  • 2. Includes all components within the system;
  • 3. Does not include duplicate accounting of components or components assigned to any other system;
  • 4. Is at the level of granularity deemed necessary for tracking and reporting; and
  • 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information]; and
• b. Review and update the system component inventory [Assignment: organization-defined frequency].

External Link for Additional Information: myctrl.tools

Update the inventory of system components as part of component installations, removals, and system updates.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and
• (b) Take the following actions when unauthorized components are detected: [Selection: one or more of: disable network access by unauthorized components; isolate unauthorized components; notify].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Include in the system component inventory information, a means for identifying by [Selection: one or more of: name; position; role], individuals responsible and accountable for administering those components.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Provide a centralized repository for the inventory of system components.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Support the tracking of system components by geographic location using [Assignment: organization-defined automated mechanisms].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• (a) Assign system components to a system; and
• (b) Receive an acknowledgement from [Assignment: organization-defined personnel or roles] of this assignment.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Develop, document, and implement a configuration management plan for the system that:

• a. Addresses roles, responsibilities, and configuration management processes and procedures;
• b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
• c. Defines the configuration items for the system and places the configuration items under configuration management;
• d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and
• e. Protects the configuration management plan from unauthorized disclosure and modification.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Use software and associated documentation in accordance with contract agreements and copyright laws;
• b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
• c. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Establish the following restrictions on the use of open-source software: [Assignment: organization-defined restrictions].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Establish [Assignment: organization-defined policies] governing the installation of software by users;
• b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and
• c. Monitor policy compliance [Assignment: organization-defined frequency].

External Link for Additional Information: myctrl.tools

Allow user installation of software only with explicit privileged status.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Enforce and monitor compliance with software installation policies using [Assignment: organization-defined automated mechanisms].

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

• a. Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored;
• b. Identify and document the users who have access to the system and system components where the information is processed and stored; and
• c. Document changes to the location (i.e., system or system components) where the information is processed and stored.

External Link for Additional Information: myctrl.tools

Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy.

External Link for Additional Information: myctrl.tools

Develop and document a map of system data actions.

This control does not have additional FedRAMP guidance or FedRAMP-assigned parameter values.

External Link for Additional Information: myctrl.tools

Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

External Link for Additional Information: myctrl.tools