Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/CM/High

Template:Doc:NIST SP 800-53r3 Appendix F/CM-1

Determine if: (i) the organization develops and formally documents configuration management policy; (ii) the organization configuration management policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented configuration management policy to elements within the organization having associated configuration management roles and responsibilities; (iv) the organization develops and formally documents configuration management procedures; (v) the organization configuration management procedures facilitate implementation of the configuration management policy and associated configuration management controls; and (vi) the organization disseminates formal documented configuration management procedures to elements within the organization having associated configuration management roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration management and control responsibilities].

Determine if: (i) the organization defines the frequency of configuration management policy reviews/updates; (ii) the organization reviews/updates configuration management policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of configuration management procedure reviews/updates; and (iv) the organization reviews/updates configuration management procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration management and control responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-2

Determine if: (i) the organization develops and documents a baseline configuration of the information system and (ii) the organization maintains, under configuration control, a current baseline configuration of the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; enterprise architecture documentation; information system design documentation; information system architecture and configuration documentation; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-2/1

Determine if: (i) the organization defines: the frequency of reviews and updates to the baseline configuration of the information system; and the circumstances that require reviews and updates to the baseline configuration of the information system; and (ii) the organization reviews and updates the baseline configuration of the information system in accordance with the organization-defined frequency; when required due to organization-defined circumstances; and as an integral part of information system component installations and upgrades.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; information system architecture and configuration documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-2/2

Determine if the organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; information system design documentation; information system architecture and configuration documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing baseline configuration maintenance].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-2/3

Determine if the organization retains older versions of baseline configurations as deemed necessary to support rollback.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; information system architecture and configuration documentation; historical copies of baseline configurations; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-2/5

Determine if: (i) the organization develops and maintains a list of software programs authorized to execute on the information system; and (ii) the organization employs a deny-all, permit-by-exception authorization policy to identify software allowed to execute on the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; list of software authorized to execute on the information system; information system architecture and configuration documentation; security plan; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-2/6

Determine if the organization maintains a baseline configuration for development and test environments that is managed separately from the operational baseline configuration.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; information system design documentation; information system architecture and configuration documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing baseline configuration environments].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-3

Determine if: (i) the organization determines the types of changes to the information system that are configuration controlled; (ii) the organization approves configuration-controlled changes to the system with explicit consideration for security impact analyses; (iii) the organization documents approved configuration-controlled changes to the system; (iv) the organization retains and reviews records of configuration-controlled changes to the system; (v) the organization audits activities associated with configuration-controlled changes to the system; (vi) the organization defines: the configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities; the frequency with which the configuration change control element convenes; and/or; configuration change conditions that prompt the configuration change control element to convene. (vii) the organization coordinates and provides oversight for configuration change control activities through the organization-defined configuration change control element that convenes at the organization-defined frequency and/or for any organization-defined configuration change conditions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system configuration change control; information system architecture and configuration documentation; security plan; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-3/1

Determine if: (i) the organization defines the time period after which approvals that have not been received for proposed changes to the information system are highlighted; and (ii) the organization employs automated mechanisms to: document proposed changes to the information system; notify designated approval authorities; highlight approvals that have not been received by the organization-defined time period; inhibit change until designated approvals are received; and document completed changes to the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system configuration change control; information system design documentation; information system architecture and configuration documentation; automated configuration control mechanisms; change control records; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing configuration change control].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-3/2

Determine if the organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system configuration change control; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-4

Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing security impact analysis for changes to the information system; security impact analysis documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for determining security impacts prior to implementation of information system changes].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-4/1

Determine if: (i) the organization analyzes new software in a separate test environment before installation in an operational environment; and (ii) the organization, when analyzing new software in a separate test environment, looks for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing security impact analysis for changes to the information system; security impact analysis documentation; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; information system test and operational environments; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for determining security impacts prior to implementation of information system changes].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-5

Determine if the organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with logical access control responsibilities; organizational personnel with physical access control responsibilities].

Test: [SELECT FROM: Change control process and associated restrictions for changes to the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-5/1

Determine if the organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing access restrictions for changes to the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-5/2

Determine if: (i) the organization defines the frequency for conducting audits of information system changes; and (ii) the organization conducts audits of information system changes in accordance with the organization-defined frequency and when indications so warrant to determine whether unauthorized changes have occurred.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; information system design documentation; information system architecture and configuration documentation; security plan; change control records; information system audit records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-5/3

Determine if: (i) the organization defines critical software programs that the information system will prevent from being installed if such software programs are not signed with a recognized and approved certificate; and (ii) the information system prevents the installation of organization-defined critical software programs that are not signed with a certificate that is recognized and approved by the organization.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; list of critical software programs to be prohibited from installation without an approved certificate; information system design documentation; information system architecture and configuration documentation; security plan; change control records; information system audit records; other relevant documents or records].

Test: [SELECT FROM: Information system mechanisms preventing installation of software programs not signed with an organization-approved certificate].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-6

Determine if: (i) the organization defines security configuration checklists to be used to establish and document mandatory configuration settings for the information system technology products employed; (ii) the organization-defined security configuration checklists reflect the most restrictive mode consistent with operational requirements; (iii) the organization establishes and documents mandatory configuration settings for information technology products employed within the information system using organization-defined security configuration checklists; (iv) the organization implements the security configuration settings; (v) the organization identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements; and (vi) the organization monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; security plan; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security configuration responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-6/1

Determine if the organization employs automated mechanisms to centrally manage, apply, and verify configuration settings.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; information system design documentation; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing the centralized management, application, and verification of configuration settings].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-6/2

Determine if: (i) the organization defines configuration settings that, if modified by unauthorized changes, initiate the automated mechanisms to be employed to respond to such changes; and (ii) the organization employs automated mechanisms to respond to unauthorized changes to organization-defined configuration settings.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; security plan; information system design documentation; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing responses to unauthorized changes to configuration settings].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-6/3

Determine if: (i) the organization incorporates detection of unauthorized, security-relevant configuration changes into the organization's incident response capability; and (ii) the organization ensures that such detected events are tracked, monitored, corrected, and available for historical purposes.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; procedures addressing incident response planning; information system design documentation; information system configuration settings and associated documentation; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security configuration responsibilities; organization personnel with incident response planning responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-7

Determine if: (i) the organization defines for the information system prohibited or restricted: functions; ports; protocols; and services; (ii) the organization configures the information system to provide only essential capabilities; and (iii) the organization configures the information system to specifically prohibit or restrict the use of organization-defined: functions; ports; protocols; and/or services.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the information system; security plan; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Test: [SELECT FROM: Information system for disabling or restricting functions, ports, protocols, and services].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-7/1

Determine if: (i) the organization defines the frequency of information system reviews to identify and eliminate unnecessary: functions; ports; protocols; and/or services; and (ii) the organization reviews the information system in accordance with organization-defined frequency to identify and eliminate unnecessary: functions; ports; protocols; and/or services.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the information system; security plan; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for identifying and eliminating unnecessary functions, ports, protocols, and services on the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-7/2

Determine if: (i) the organization develops and maintains one or more of the following specifications to prevent software program execution on the information system: a list of software programs authorized to execute on the information system; a list of software programs not authorized to execute on the information system; and/or rules authorizing the terms and conditions of software program usage on the information system; and (ii) the organization employs automated mechanisms to prevent software program execution on the information system in accordance with the organization-defined specifications.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the information system; security plan; information system design documentation; specification of preventing software program execution; information system configuration settings and associated documentation; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms preventing software program execution on the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-8

Determine if: (i) the organization defines information deemed necessary to achieve effective property accountability; and (ii) the organization develops, documents, and maintains an inventory of information system components that: accurately reflects the current information system; is consistent with the authorization boundary of the information system; is at the level of granularity deemed necessary for tracking and reporting; includes organization-defined information deemed necessary to achieve effective property accountability; and is available for review and audit by designated organizational officials.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; security plan; information system inventory records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-8/1

Determine if the organization updates the inventory of information system components as an integral part of component: installations; removals; and information system updates.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; information system inventory records; component installation records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system installation and inventory responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-8/2

Determine if the organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available inventory of information system components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; information system design documentation; information system inventory records; component installation records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms implementing information system component inventory management].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-8/3

Determine if: (i) the organization defines the frequency of employing automated mechanisms to detect the addition of unauthorized components/devices into the information system; (ii) the organization employs automated mechanisms, in accordance with the organization-defined frequency, to detect the addition of unauthorized components/devices into the information system; and (iii) the organization disables network access by such components/devices or notifies designated organizational officials.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; security plan; information system design documentation; information system inventory records; component installation records; change control records; other relevant documents or records].

Test: [SELECT FROM: Automated mechanisms for detecting unauthorized components/devices on the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-8/4

Determine if the organization includes in property accountability information for information system components, a means for identifying by name, position, or role, individuals responsible for administering those components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; information system inventory records; component installation records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-8/5

Determine if the organization verifies that all components within the authorization boundary of the information system are either inventoried as a part of the system or recognized by another system as a component within that system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; security plan; information system inventory records; component installation records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system inventory responsibilities; organizational personnel with responsibilities for defining information system components within the authorization boundary of the system].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-9

Determine if the organization develops, documents, and implements a configuration management plan for the information system that: addresses roles, responsibilities, and configuration management processes and procedures; defines the configuration items for the information system and when in the system development life cycle the configuration items are placed under configuration management; and establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the configuration of the configuration items.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration management planning; security plan; other relevant documents or records].