a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:1. [Selection (one or more): Organization-level; Mission/business process-level; System-level] configuration management policy that:(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; andc. Review and update the current configuration management:1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].
a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; andb. Review and update the baseline configuration of the system:1. [Assignment: organization-defined frequency];2. When required due to [Assignment: organization-defined circumstances]; and3. When system components are installed or upgraded.
[Withdrawn: Incorporated into CM-2.]
Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using [Assignment: organization-defined automated mechanisms].
Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback.
[Withdrawn: Incorporated into CM-7(4).]
[Withdrawn: Incorporated into CM-7(5).]
Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.
(a) Issue [Assignment: organization-defined systems or system components] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and(b) Apply the following controls to the systems or components when the individuals return from travel: [Assignment: organization-defined controls].
a. Determine and document the types of changes to the system that are configuration-controlled;b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;c. Document configuration change decisions associated with the system;d. Implement approved configuration-controlled changes to the system;e. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period];f. Monitor and review activities associated with configuration-controlled changes to the system; andg. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration change conditions]].
Use [Assignment: organization-defined automated mechanisms] to:(a) Document proposed changes to the system;(b) Notify [Assignment: organization-defined approval authorities] of proposed changes to the system and request change approval;(c) Highlight proposed changes to the system that have not been approved or disapproved within [Assignment: organization-defined time period];(d) Prohibit changes to the system until designated approvals are received;(e) Document all changes to the system; and(f) Notify [Assignment: organization-defined personnel] when approved changes to the system are completed.
Test, validate, and document changes to the system before finalizing the implementation of the changes.
Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms].
Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element].
Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: [Assignment: organization-defined security responses].
Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [Assignment: organization-defined controls].
Review changes to the system [Assignment: organization-defined frequency] or when [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.
Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances].
Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.
Analyze changes to the system in a separate test environment before implementation in an operational environment, looking for security and privacy impacts due to flaws, weaknesses, incompatibility, or intentional malice.
After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.
Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.
(a) Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; and(b) Automatically generate audit records of the enforcement actions.
[Withdrawn: Incorporated into CM-3(7).]
[Withdrawn: Incorporated into CM-14.]
Enforce dual authorization for implementing changes to [Assignment: organization-defined system components and system-level information].
(a) Limit privileges to change system components and system-related information within a production or operational environment; and(b) Review and reevaluate privileges [Assignment: organization-defined frequency].
Limit privileges to change software resident within software libraries.
[Withdrawn: Incorporated into SI-7.]
a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations];b. Implement the configuration settings;c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; andd. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms].
Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions].
[Withdrawn: Incorporated into SI-7.]
[Withdrawn: Incorporated into CM-4.]
a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; andb. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].
(a) Review the system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and(b) Disable or remove [Assignment: organization-defined functions, ports, protocols, software, and services within the system deemed to be unnecessary and/or nonsecure].
Prevent program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies, rules of behavior, and/or access agreements regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
Ensure compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services].
(a) Identify [Assignment: organization-defined software programs not authorized to execute on the system];(b) Employ an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the system; and(c) Review and update the list of unauthorized software programs [Assignment: organization-defined frequency].
(a) Identify [Assignment: organization-defined software programs authorized to execute on the system];(b) Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and(c) Review and update the list of authorized software programs [Assignment: organization-defined frequency].
Require that the following user-installed software execute in a confined physical or virtual machine environment with limited privileges: [Assignment: organization-defined user-installed software].
Allow execution of binary or machine-executable code only in confined physical or virtual machine environments and with the explicit approval of [Assignment: organization-defined personnel or roles] when such code is:(a) Obtained from sources with limited or no warranty; and/or(b) Without the provision of source code.
(a) Prohibit the use of binary or machine-executable code from sources with limited or no warranty or without the provision of source code; and(b) Allow exceptions only for compelling mission or operational requirements and with the approval of the authorizing official.
(a) Identify [Assignment: organization-defined hardware components authorized for system use];(b) Prohibit the use or connection of unauthorized hardware components;(c) Review and update the list of authorized hardware components [Assignment: organization-defined frequency].
a. Develop and document an inventory of system components that:1. Accurately reflects the system;2. Includes all components within the system;3. Does not include duplicate accounting of components or components assigned to any other system;4. Is at the level of granularity deemed necessary for tracking and reporting; and5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information deemed necessary to achieve effective system component accountability]; andb. Review and update the system component inventory [Assignment: organization-defined frequency].
Update the inventory of system components as part of component installations, removals, and system updates.
Maintain the currency, completeness, accuracy, and availability of the inventory of system components using [Assignment: organization-defined automated mechanisms].
(a) Detect the presence of unauthorized hardware, software, and firmware components within the system using [Assignment: organization-defined automated mechanisms] [Assignment: organization-defined frequency]; and(b) Take the following actions when unauthorized components are detected: [Selection (one or more): disable network access by such components; isolate the components; notify [Assignment: organization-defined personnel or roles]].
Include in the system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible and accountable for administering those components.
[Withdrawn: Incorporated into CM-8.]
Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.
Provide a centralized repository for the inventory of system components.
Support the tracking of system components by geographic location using [Assignment: organization-defined automated mechanisms].
(a) Assign system components to a system; and(b) Receive an acknowledgement from [Assignment: organization-defined personnel or roles] of this assignment.
Develop, document, and implement a configuration management plan for the system that:a. Addresses roles, responsibilities, and configuration management processes and procedures;b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;c. Defines the configuration items for the system and places the configuration items under configuration management;d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; ande. Protects the configuration management plan from unauthorized disclosure and modification.
Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.
a. Use software and associated documentation in accordance with contract agreements and copyright laws;b. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; andc. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Establish the following restrictions on the use of open-source software: [Assignment: organization-defined restrictions].
a. Establish [Assignment: organization-defined policies] governing the installation of software by users;b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; andc. Monitor policy compliance [Assignment: organization-defined frequency].
[Withdrawn: Incorporated into CM-8(3).]
Allow user installation of software only with explicit privileged status.
Enforce and monitor compliance with software installation policies using [Assignment: organization-defined automated mechanisms].
a. Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored;b. Identify and document the users who have access to the system and system components where the information is processed and stored; andc. Document changes to the location (i.e., system or system components) where the information is processed and stored.
Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy.
Develop and document a map of system data actions.
Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.