Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/CM/Low

Template:Doc:NIST SP 800-53r3 Appendix F/CM-1

Determine if: (i) the organization develops and formally documents configuration management policy; (ii) the organization configuration management policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented configuration management policy to elements within the organization having associated configuration management roles and responsibilities; (iv) the organization develops and formally documents configuration management procedures; (v) the organization configuration management procedures facilitate implementation of the configuration management policy and associated configuration management controls; and (vi) the organization disseminates formal documented configuration management procedures to elements within the organization having associated configuration management roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration management and control responsibilities].

Determine if: (i) the organization defines the frequency of configuration management policy reviews/updates; (ii) the organization reviews/updates configuration management policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of configuration management procedure reviews/updates; and (iv) the organization reviews/updates configuration management procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration management and control responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-2

Determine if: (i) the organization develops and documents a baseline configuration of the information system and (ii) the organization maintains, under configuration control, a current baseline configuration of the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; enterprise architecture documentation; information system design documentation; information system architecture and configuration documentation; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-4

Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing security impact analysis for changes to the information system; security impact analysis documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for determining security impacts prior to implementation of information system changes].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-6

Determine if: (i) the organization defines security configuration checklists to be used to establish and document mandatory configuration settings for the information system technology products employed; (ii) the organization-defined security configuration checklists reflect the most restrictive mode consistent with operational requirements; (iii) the organization establishes and documents mandatory configuration settings for information technology products employed within the information system using organization-defined security configuration checklists; (iv) the organization implements the security configuration settings; (v) the organization identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements; and (vi) the organization monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; security plan; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security configuration responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-7

Determine if: (i) the organization defines for the information system prohibited or restricted: functions; ports; protocols; and services; (ii) the organization configures the information system to provide only essential capabilities; and (iii) the organization configures the information system to specifically prohibit or restrict the use of organization-defined: functions; ports; protocols; and/or services.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the information system; security plan; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Test: [SELECT FROM: Information system for disabling or restricting functions, ports, protocols, and services].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-8

Determine if: (i) the organization defines information deemed necessary to achieve effective property accountability; and (ii) the organization develops, documents, and maintains an inventory of information system components that: accurately reflects the current information system; is consistent with the authorization boundary of the information system; is at the level of granularity deemed necessary for tracking and reporting; includes organization-defined information deemed necessary to achieve effective property accountability; and is available for review and audit by designated organizational officials.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; security plan; information system inventory records; other relevant documents or records].