Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/CM

CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES

Control: The organization develops, disseminates, and reviews/updates [Assignment: organization-defined frequency]:

a. A formal, documented configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

b. Formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.

Supplemental Guidance: This control is intended to produce the policy and procedures that are required for the effective implementation of selected security controls and control enhancements in the configuration management family. The policy and procedures are consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Existing organizational policies and procedures may make the need for additional specific policies and procedures unnecessary. The configuration management policy can be included as part of the general information security policy for the organization. Configuration management procedures can be developed for the security program in general and for a particular information system, when required. The organizational risk management strategy is a key factor in the development of the configuration management policy. Related control: PM-9.

Control Enhancements: None.

Determine if: (i) the organization develops and formally documents configuration management policy; (ii) the organization configuration management policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented configuration management policy to elements within the organization having associated configuration management roles and responsibilities; (iv) the organization develops and formally documents configuration management procedures; (v) the organization configuration management procedures facilitate implementation of the configuration management policy and associated configuration management controls; and (vi) the organization disseminates formal documented configuration management procedures to elements within the organization having associated configuration management roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration management and control responsibilities].

Determine if: (i) the organization defines the frequency of configuration management policy reviews/updates; (ii) the organization reviews/updates configuration management policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of configuration management procedure reviews/updates; and (iv) the organization reviews/updates configuration management procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration management and control responsibilities].

CM-2 BASELINE CONFIGURATION

Control: The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

Supplemental Guidance: This control establishes a baseline configuration for the information system and its constituent components including communications and connectivity-related aspects of the system. The baseline configuration provides information about the components of an information system (e.g., the standard software load for a workstation, server, network component, or mobile device including operating system/installed applications with current version numbers and patch information), network topology, and the logical placement of the component within the system architecture. The baseline configuration is a documented, up-to-date specification to which the information system is built. Maintaining the baseline configuration involves creating new baselines as the information system changes over time. The baseline configuration of the information system is consistent with the organization's enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9.

Control Enhancements:

Determine if: (i) the organization develops and documents a baseline configuration of the information system and (ii) the organization maintains, under configuration control, a current baseline configuration of the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; enterprise architecture documentation; information system design documentation; information system architecture and configuration documentation; other relevant documents or records].

(1) The organization reviews and updates the baseline configuration of the information system:

(a) [Assignment: organization-defined frequency];

(b) When required due to [Assignment organization-defined circumstances]; and

(c) As an integral part of information system component installations and upgrades.

Determine if: (i) the organization defines: the frequency of reviews and updates to the baseline configuration of the information system; and the circumstances that require reviews and updates to the baseline configuration of the information system; and (ii) the organization reviews and updates the baseline configuration of the information system in accordance with the organization-defined frequency; when required due to organization-defined circumstances; and as an integral part of information system component installations and upgrades.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; information system architecture and configuration documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities].

(2) The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

Enhancement Supplemental Guidance: Software inventory tools are examples of automated mechanisms that help organizations maintain consistent baseline configurations for information systems. Software inventory tools can be deployed for each operating system in use within the organization (e.g., on workstations, servers, network components, mobile devices) and used to track operating system version numbers, applications and types of software installed on the operating systems, and current patch levels. Software inventory tools can also scan information systems for unauthorized software to validate organization-defined lists of authorized and unauthorized software programs.

Determine if the organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; information system design documentation; information system architecture and configuration documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing baseline configuration maintenance].

(3) The organization retains older versions of baseline configurations as deemed necessary to support rollback.

Determine if the organization retains older versions of baseline configurations as deemed necessary to support rollback.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; information system architecture and configuration documentation; historical copies of baseline configurations; other relevant documents or records].

(4) The organization:

(a) Develops and maintains [Assignment: organization-defined list of software programs not authorized to execute on the information system]; and

(b) Employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on the information system.

Determine if: (i) the organization develops and maintains a list of software programs not authorized to execute on the information system; and (ii) the organization employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; list of software programs not authorized to execute on the information system; information system architecture and configuration documentation; security plan; other relevant documents or records].

(5) The organization:

(a) Develops and maintains [Assignment: organization-defined list of software programs authorized to execute on the information system]; and

(b) Employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system.

Determine if: (i) the organization develops and maintains a list of software programs authorized to execute on the information system; and (ii) the organization employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; list of software authorized to execute on the information system; information system architecture and configuration documentation; security plan; other relevant documents or records].

(6) The organization maintains a baseline configuration for development and test environments that is managed separately from the operational baseline configuration.

Determine if the organization maintains a baseline configuration for development and test environments that is managed separately from the operational baseline configuration.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; information system design documentation; information system architecture and configuration documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing baseline configuration environments].

CM-3 CONFIGURATION CHANGE CONTROL

Control: The organization:

a. Determines the types of changes to the information system that are configuration controlled;

b. Approves configuration-controlled changes to the system with explicit consideration for security impact analyses;

c. Documents approved configuration-controlled changes to the system;

d. Retains and reviews records of configuration-controlled changes to the system;

e. Audits activities associated with configuration-controlled changes to the system; and

f. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection: (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions.

Supplemental Guidance: The organization determines the types of changes to the information system that are configuration controlled. Configuration change control for the information system involves the systematic proposal, justification, implementation, test/evaluation, review, and disposition of changes to the system, including upgrades and modifications. Configuration change control includes changes to components of the information system, changes to the configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers), emergency changes, and changes to remediate flaws. A typical organizational process for managing configuration changes to the information system includes, for example, a chartered Configuration Control Board that approves proposed changes to the system. Auditing of changes refers to changes in activity before and after a change is made to the information system and the auditing activities required to implement the change. Related controls: CM-4, CM-5, CM-6, SI-2.

Control Enhancements:

Determine if: (i) the organization determines the types of changes to the information system that are configuration controlled; (ii) the organization approves configuration-controlled changes to the system with explicit consideration for security impact analyses; (iii) the organization documents approved configuration-controlled changes to the system; (iv) the organization retains and reviews records of configuration-controlled changes to the system; (v) the organization audits activities associated with configuration-controlled changes to the system; (vi) the organization defines: the configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities; the frequency with which the configuration change control element convenes; and/or; configuration change conditions that prompt the configuration change control element to convene. (vii) the organization coordinates and provides oversight for configuration change control activities through the organization-defined configuration change control element that convenes at the organization-defined frequency and/or for any organization-defined configuration change conditions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system configuration change control; information system architecture and configuration documentation; security plan; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities].

(1) The organization employs automated mechanisms to:

(a) Document proposed changes to the information system;

(b) Notify designated approval authorities;

(c) Highlight approvals that have not been received by [Assignment: organization-defined time period];

(d) Inhibit change until designated approvals are received; and

(e) Document completed changes to the information system.

Determine if: (i) the organization defines the time period after which approvals that have not been received for proposed changes to the information system are highlighted; and (ii) the organization employs automated mechanisms to: document proposed changes to the information system; notify designated approval authorities; highlight approvals that have not been received by the organization-defined time period; inhibit change until designated approvals are received; and document completed changes to the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system configuration change control; information system design documentation; information system architecture and configuration documentation; automated configuration control mechanisms; change control records; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing configuration change control].

(2) The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.

Enhancement Supplemental Guidance: The organization ensures that testing does not interfere with information system operations. The individual/group conducting the tests understands the organizational information security policies and procedures, the information system security policies and procedures, and the specific health, safety, and environmental risks associated with a particular facility and/or process. An operational system may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If an information system must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. In situations where the organization cannot conduct testing of an operational system, the organization employs compensating controls (e.g., providing a replicated system to conduct testing) in accordance with the general tailoring guidance.

Determine if the organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system configuration change control; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities].

(3) The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base.

Enhancement Supplemental Guidance: Related controls: CM-2, CM-6.

Determine if: (i) the organization employs automated mechanisms to implement changes to the current information system baseline; and (ii) the organization deploys the updated baseline across the installed base.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system configuration change control; information system design documentation; information system architecture and configuration documentation; automated configuration control mechanisms; change control records; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing changes to the information system baseline].

(4) The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element (e.g., committee, board)].

Enhancement Supplemental Guidance: Information security representatives can include, for example, information system security officers or information system security managers. The configuration change control element in this control enhancement is consistent with the change control element defined by the organization in CM-3.

Determine if the organization requires an information security representative to be a member of the configuration change control element as defined by the organization in CM-3.1 (vi).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system configuration change control; security plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities].

CM-4 SECURITY IMPACT ANALYSIS

Control: The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

Supplemental Guidance: Security impact analyses are conducted by organizational personnel with information security responsibilities, including for example, Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers. Individuals conducting security impact analyses have the appropriate skills and technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing information system documentation such as the security plan to understand how specific security controls are implemented within the system and how the changes might affect the controls. Security impact analysis may also include an assessment of risk to understand the impact of the changes and to determine if additional security controls are required. Security impact analysis is scaled in accordance with the security categorization of the information system. Related controls: CA-2, CA-7, CM-3, CM-9, SI-2.

Control Enhancements:

Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing security impact analysis for changes to the information system; security impact analysis documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for determining security impacts prior to implementation of information system changes].

(1) The organization analyzes new software in a separate test environment before installation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

Determine if: (i) the organization analyzes new software in a separate test environment before installation in an operational environment; and (ii) the organization, when analyzing new software in a separate test environment, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing security impact analysis for changes to the information system; security impact analysis documentation; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; information system test and operational environments; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for determining security impacts prior to implementation of information system changes].

(2) The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system.

Enhancement Supplemental Guidance: Changes include information system upgrades and modifications.

Determine if the organization, after the information system is changed, checks the security functions to verify that the functions are: implemented correctly; operating as intended; and producing the desired outcome with regard to meeting the security requirements for the system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing security impact analysis for changes to the information system; security impact analysis documentation; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for determining security impacts prior to implementation of information system changes].

CM-5 ACCESS RESTRICTIONS FOR CHANGE

Control: The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

Supplemental Guidance: Any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals are allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Additionally, maintaining records of access is essential for ensuring that configuration change control is being implemented as intended and for supporting after-the-fact actions should the organization become aware of an unauthorized change to the information system. Access restrictions for change also include software libraries. Examples of access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes are implemented into a third-party interface rather than directly into the information system component), and change windows (e.g., changes occur only during specified times, making unauthorized changes outside the window easy to discover). Some or all of the enforcement mechanisms and processes necessary to implement this security control are included in other controls. For measures implemented in other controls, this control provides information to be used in the implementation of the other controls to cover specific needs related to enforcing authorizations to make changes to the information system, auditing changes, and retaining and review records of changes. Related controls: AC-3, AC-6, PE-3.

Control Enhancements:

Determine if the organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with logical access control responsibilities; organizational personnel with physical access control responsibilities].

Test: [SELECT FROM: Change control process and associated restrictions for changes to the information system].

(1) The organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions.

Determine if the organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing access restrictions for changes to the information system].

(2) The organization conducts audits of information system changes [Assignment: organization-defined frequency] and when indications so warrant to determine whether unauthorized changes have occurred.

Determine if: (i) the organization defines the frequency for conducting audits of information system changes; and (ii) the organization conducts audits of information system changes in accordance with the organization-defined frequency and when indications so warrant to determine whether unauthorized changes have occurred.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; information system design documentation; information system architecture and configuration documentation; security plan; change control records; information system audit records; other relevant documents or records].

(3) The information system prevents the installation of [Assignment: organization-defined critical software programs] that are not signed with a certificate that is recognized and approved by the organization.

Enhancement Supplemental Guidance: Critical software programs and/or modules include, for example, patches, service packs, and where applicable, device drivers.

Determine if: (i) the organization defines critical software programs that the information system will prevent from being installed if such software programs are not signed with a recognized and approved certificate; and (ii) the information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; list of critical software programs to be prohibited from installation without an approved certificate; information system design documentation; information system architecture and configuration documentation; security plan; change control records; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Information system mechanisms preventing installation of software programs not signed with an organization-approved certificate].

(4) The organization enforces a two-person rule for changes to [Assignment: organization-defined information system components and system-level information].

Determine if: (i) the organization defines information system components and system-level information requiring enforcement of a two-person rule for information system changes; and (ii) the organization enforces a two-person rule for changes to organization-defined information system components and system-level information.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; security plan; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel responsible for enforcing a two-person rule for system changes].

(5) The organization:

(a) Limits information system developer/integrator privileges to change hardware, software, and firmware components and system information directly within a production environment; and

(b) Reviews and reevaluates information system developer/integrator privileges [Assignment: organization-defined frequency].

Determine if: (i) the organization limits information system developer/integrator privileges to change hardware, software, and firmware components and system information directly within a production environment; (ii) the organization defines the frequency for reviews and reevaluations of information system developer/integrator privileges; and (iii) the organization reviews and reevaluates information system developer/integrator privileges in accordance with the organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; security plan; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with logical access control responsibilities; organizational personnel with physical access control responsibilities].

(6) The organization limits privileges to change software resident within software libraries (including privileged programs).

Determine if the organization limits privileges to change software resident within software libraries (including privileged programs).

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

(7) The information system automatically implements [Assignment: organization-defined safeguards and countermeasures] if security functions (or mechanisms) are changed inappropriately.

Enhancement Supplemental Guidance: The information system reacts automatically when inappropriate and/or unauthorized modifications have occurred to security functions or mechanisms. Automatic implementation of safeguards and countermeasures includes, for example, reversing the change, halting the information system or triggering an audit alert when an unauthorized modification to a critical security file occurs.

Determine if: (i) the organization defines safeguards and countermeasures to be employed by the information system if security functions (or mechanisms) are changed inappropriately; and (ii) the information system automatically implements organization-defined safeguards and countermeasures if security functions (or mechanisms) are changed inappropriately.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Information system implementing safeguards and countermeasures for inappropriate changes to security functions].

CM-6 CONFIGURATION SETTINGS

Control: The organization:

a. Establishes and documents mandatory configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;

b. Implements the configuration settings;

c. Identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements; and

d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

Supplemental Guidance: Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control requirements. Security-related parameters include, for example, registry settings; account, file, and directory settings (i.e., permissions); and settings for services, ports, protocols, and remote connections. Organizations establish organization-wide mandatory configuration settings from which the settings for a given information system are derived. A security configuration checklist (sometimes referred to as a lockdown guide, hardening guide, security guide, security technical implementation guide [STIG], or benchmark) is a series of instructions or procedures for configuring an information system component to meet operational requirements. Checklists can be developed by information technology developers and vendors, consortia, academia, industry, federal agencies (and other government organizations), and others in the public and private sectors. An example of a security configuration checklist is the Federal Desktop Core Configuration (FDCC) which potentially affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: CM-2, CM-3, SI-4.

Control Enhancements:

Determine if: (i) the organization defines security configuration checklists to be used to establish and document mandatory configuration settings for the information system technology products employed; (ii) the organization-defined security configuration checklists reflect the most restrictive mode consistent with operational requirements; (iii) the organization establishes and documents mandatory configuration settings for information technology products employed within the information system using organization-defined security configuration checklists; (iv) the organization implements the security configuration settings; (v) the organization identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements; and (vi) the organization monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; security plan; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security configuration responsibilities].

(1) The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings.

Determine if the organization employs automated mechanisms to centrally manage, apply, and verify configuration settings.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; information system design documentation; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the centralized management, application, and verification of configuration settings].

(2) The organization employs automated mechanisms to respond to unauthorized changes to [Assignment: organization-defined configuration settings].

Enhancement Supplemental Guidance: Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring mandatory/organization-defined configuration settings, or in the extreme case, halting affected information system processing.

Determine if: (i) the organization defines configuration settings that, if modified by unauthorized changes, initiate the automated mechanisms to be employed to respond to such changes; and (ii) the organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; security plan; information system design documentation; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing responses to unauthorized changes to configuration settings].

(3) The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization's incident response capability to ensure that such detected events are tracked, monitored, corrected, and available for historical purposes.

Enhancement Supplemental Guidance: Related controls: IR-4, IR-5.

Determine if: (i) the organization incorporates detection of unauthorized, security-relevant configuration changes into the organization's incident response capability; and (ii) the organization ensures that such detected events are tracked, monitored, corrected, and available for historical purposes.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; procedures addressing incident response planning; information system design documentation; information system configuration settings and associated documentation; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security configuration responsibilities; organization personnel with incident response planning responsibilities].

(4) The information system (including modifications to the baseline configuration) demonstrates conformance to security configuration guidance (i.e., security checklists), prior to being introduced into a production environment.

Determine if the information system (including modifications to the baseline configuration) demonstrates conformance to security configuration guidance (i.e., security checklists), prior to being introduced into a production environment.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; information system design documentation; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security configuration responsibilities].

CM-7 LEAST FUNCTIONALITY

Control: The organization configures the information system to provide only essential capabilities and specifically prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined list of prohibited or restricted functions, ports, protocols, and/or services].

Supplemental Guidance: Information systems are capable of providing a wide variety of functions and services. Some of the functions and services, provided by default, may not be necessary to support essential organizational operations (e.g., key missions, functions). Additionally, it is sometimes convenient to provide multiple services from a single component of an information system, but doing so increases risk over limiting the services provided by any one component. Where feasible, organizations limit component functionality to a single function per device (e.g., email server or web server, not both). The functions and services provided by organizational information systems, or individual components of information systems, are carefully reviewed to determine which functions and services are candidates for elimination (e.g., Voice Over Internet Protocol, Instant Messaging, auto-execute, file sharing). Organizations consider disabling unused or unnecessary physical and logical ports and protocols (e.g., Universal Serial Bus [USB], File Transfer Protocol [FTP], Internet Protocol Version 6 [IPv6], Hyper Text Transfer Protocol [HTTP]) on information system components to prevent unauthorized connection of devices, unauthorized transfer of information, or unauthorized tunneling. Organizations can utilize network scanning tools, intrusion detection and prevention systems, and end-point protections such as firewalls and host-based intrusion detection systems to identify and prevent the use of prohibited functions, ports, protocols, and services. Related control: RA-5.

Control Enhancements:

Determine if: (i) the organization defines for the information system prohibited or restricted: functions; ports; protocols; and services; (ii) the organization configures the information system to provide only essential capabilities; and (iii) the organization configures the information system to specifically prohibit or restrict the use of organization-defined: functions; ports; protocols; and/or services.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the information system; security plan; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Test: [SELECT FROM: Information system for disabling or restricting functions, ports, protocols, and services].

(1) The organization reviews the information system [Assignment: organization-defined frequency] to identify and eliminate unnecessary functions, ports, protocols, and/or services.

Determine if: (i) the organization defines the frequency of information system reviews to identify and eliminate unnecessary: functions; ports; protocols; and/or services; and (ii) the organization reviews the information system in accordance with organization-defined frequency to identify and eliminate unnecessary: functions; ports; protocols; and/or services.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the information system; security plan; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for identifying and eliminating unnecessary functions, ports, protocols, and services on the information system].

(2) The organization employs automated mechanisms to prevent program execution in accordance with [Selection (one or more): list of authorized software programs; list of unauthorized software programs; rules authorizing the terms and conditions of software program usage].

Enhancement Supplemental Guidance: Related control: CM-2.

Determine if: (i) the organization develops and maintains one or more of the following specifications to prevent software program execution on the information system: a list of software programs authorized to execute on the information system; a list of software programs not authorized to execute on the information system; and/or rules authorizing the terms and conditions of software program usage on the information system; and (ii) the organization employs automated mechanisms to prevent software program execution on the information system in accordance with the organization-defined specifications.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the information system; security plan; information system design documentation; specification of preventing software program execution; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms preventing software program execution on the information system].

(3) The organization ensures compliance with [Assignment: organization-defined registration requirements for ports, protocols, and services].

Enhancement Supplemental Guidance: Organizations use the registration process to manage, track, and provide oversight for information systems and implemented functionality.

Determine if: (i) the organization defines registration requirements for: ports; protocols; and services; and (ii) the organization ensures compliance with organization-defined registration requirements for: ports; protocols; and services.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the information system; security plan; information system configuration settings and associated documentation; other relevant documents or records].

CM-8 INFORMATION SYSTEM COMPONENT INVENTORY

Control: The organization develops, documents, and maintains an inventory of information system components that:

a. Accurately reflects the current information system;

b. Is consistent with the authorization boundary of the information system;

c. Is at the level of granularity deemed necessary for tracking and reporting;

d. Includes [Assignment: organization-defined information deemed necessary to achieve effective property accountability]; and

e. Is available for review and audit by designated organizational officials.

Supplemental Guidance: Information deemed to be necessary by the organization to achieve effective property accountability can include, for example, hardware inventory specifications (manufacturer, type, model, serial number, physical location), software license information, information system/component owner, and for a networked component/device, the machine name and network address. Related controls: CM-2, CM-6.

Control Enhancements:

Determine if: (i) the organization defines information deemed necessary to achieve effective property accountability; and (ii) the organization develops, documents, and maintains an inventory of information system components that: accurately reflects the current information system; is consistent with the authorization boundary of the information system; is at the level of granularity deemed necessary for tracking and reporting; includes organization-defined information deemed necessary to achieve effective property accountability; and is available for review and audit by designated organizational officials.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; security plan; information system inventory records; other relevant documents or records].

(1) The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.

Determine if the organization updates the inventory of information system components as an integral part of component: installations; removals; and information system updates.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; information system inventory records; component installation records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system installation and inventory responsibilities].

(2) The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

Enhancement Supplemental Guidance: Organizations maintain the information system inventory to the extent feasible. Virtual machines, for example, can be difficult to monitor because they are not visible to the network when not in use. In such cases, the intent of this control enhancement is to maintain as up-to-date, complete, and accurate an inventory as is reasonable.

Determine if the organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; information system design documentation; information system inventory records; component installation records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information system component inventory management].

(3) The organization:

(a) Employs automated mechanisms [Assignment: organization-defined frequency] to detect the addition of unauthorized components/devices into the information system; and

(b) Disables network access by such components/devices or notifies designated organizational officials.

Enhancement Supplemental Guidance: This control enhancement is applied in addition to the monitoring for unauthorized remote connections in AC-17 and for unauthorized mobile devices in AC-19. The monitoring for unauthorized components/devices on information system networks may be accomplished on an ongoing basis or by the periodic scanning of organizational networks for that purpose. Automated mechanisms can be implemented within the information system and/or in another separate information system or device. Related controls: AC-17, AC-19.

Determine if: (i) the organization defines the frequency of employing automated mechanisms to detect the addition of unauthorized components/devices into the information system; (ii) the organization employs automated mechanisms, in accordance with the organization-defined frequency, to detect the addition of unauthorized components/devices into the information system; and (iii) the organization disables network access by such components/devices or notifies designated organizational officials.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; security plan; information system design documentation; information system inventory records; component installation records; change control records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms for detecting unauthorized components/devices on the information system].

(4) The organization includes in property accountability information for information system components, a means for identifying by [Selection (one or more): name; position; role] individuals responsible for administering those components.

Determine if the organization includes in property accountability information for information system components, a means for identifying by name, position, or role, individuals responsible for administering those components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; information system inventory records; component installation records; other relevant documents or records].

(5) The organization verifies that all components within the authorization boundary of the information system are either inventoried as a part of the system or recognized by another system as a component within that system.

Determine if the organization verifies that all components within the authorization boundary of the information system are either inventoried as a part of the system or recognized by another system as a component within that system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; security plan; information system inventory records; component installation records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system inventory responsibilities; organizational personnel with responsibilities for defining information system components within the authorization boundary of the system].

(6) The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.

Enhancement Supplemental Guidance: This control enhancement focuses on the configuration settings established by the organization for its information system components, the specific information system components that have been assessed to determine compliance with the required configuration settings, and any approved deviations from established configuration settings in the deployed information system components. Related controls: CM-2, CM-6.

Determine if the organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; information system design documentation; information system inventory records; component installation records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with inventory management and assessment responsibilities for information system components].

CM-9 CONFIGURATION MANAGEMENT PLAN

Control: The organization develops, documents, and implements a configuration management plan for the information system that:

a. Addresses roles, responsibilities, and configuration management processes and procedures;

b. Defines the configuration items for the information system and when in the system development life cycle the configuration items are placed under configuration management; and

c. Establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the configuration of the configuration items.

Supplemental Guidance: Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration managed. The configuration management plan satisfies the requirements in the organization's configuration management policy while being tailored to the individual information system. The configuration management plan defines detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. The plan describes how to move a change through the change management process, how configuration settings and configuration baselines are updated, how the information system component inventory is maintained, how development, test, and operational environments are controlled, and finally, how documents are developed, released, and updated. The configuration management approval process includes designation of key management stakeholders that are responsible for reviewing and approving proposed changes to the information system, and security personnel that would conduct an impact analysis prior to the implementation of any changes to the system. Related control: SA-10.

Control Enhancements:

Determine if the organization develops, documents, and implements a configuration management plan for the information system that: addresses roles, responsibilities, and configuration management processes and procedures; defines the configuration items for the information system and when in the system development life cycle the configuration items are placed under configuration management; and establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the configuration of the configuration items.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration management planning; security plan; other relevant documents or records].

(1) The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.

Enhancement Supplemental Guidance: In the absence of a dedicated configuration management team, the system integrator may be tasked with developing the configuration management process.

Determine if the organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing responsibilities for configuration management process development; security plan other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for configuration management process development].