Doc:NIST SP 800-53Ar1 Appendix F/Enhanced/CM/Moderate

Template:Doc:NIST SP 800-53r3 Appendix F/CM-1

Determine if: (i) the organization develops and formally documents configuration management policy; (ii) the organization configuration management policy addresses: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; and compliance; (iii) the organization disseminates formal documented configuration management policy to elements within the organization having associated configuration management roles and responsibilities; (iv) the organization develops and formally documents configuration management procedures; (v) the organization configuration management procedures facilitate implementation of the configuration management policy and associated configuration management controls; and (vi) the organization disseminates formal documented configuration management procedures to elements within the organization having associated configuration management roles and responsibilities.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration management and control responsibilities].

Determine if: (i) the organization defines the frequency of configuration management policy reviews/updates; (ii) the organization reviews/updates configuration management policy in accordance with organization-defined frequency; (iii) the organization defines the frequency of configuration management procedure reviews/updates; and (iv) the organization reviews/updates configuration management procedures in accordance with organization-defined frequency.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy and procedures; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration management and control responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-2

Determine if: (i) the organization develops and documents a baseline configuration of the information system and (ii) the organization maintains, under configuration control, a current baseline configuration of the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; enterprise architecture documentation; information system design documentation; information system architecture and configuration documentation; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-2/1

Determine if: (i) the organization defines: the frequency of reviews and updates to the baseline configuration of the information system; and the circumstances that require reviews and updates to the baseline configuration of the information system; and (ii) the organization reviews and updates the baseline configuration of the information system in accordance with the organization-defined frequency; when required due to organization-defined circumstances; and as an integral part of information system component installations and upgrades.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; information system architecture and configuration documentation; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-2/3

Determine if the organization retains older versions of baseline configurations as deemed necessary to support rollback.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; information system architecture and configuration documentation; historical copies of baseline configurations; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-2/4

Determine if: (i) the organization develops and maintains a list of software programs not authorized to execute on the information system; and (ii) the organization employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing the baseline configuration of the information system; list of software programs not authorized to execute on the information system; information system architecture and configuration documentation; security plan; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-3

Determine if: (i) the organization determines the types of changes to the information system that are configuration controlled; (ii) the organization approves configuration-controlled changes to the system with explicit consideration for security impact analyses; (iii) the organization documents approved configuration-controlled changes to the system; (iv) the organization retains and reviews records of configuration-controlled changes to the system; (v) the organization audits activities associated with configuration-controlled changes to the system; (vi) the organization defines: the configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities; the frequency with which the configuration change control element convenes; and/or; configuration change conditions that prompt the configuration change control element to convene. (vii) the organization coordinates and provides oversight for configuration change control activities through the organization-defined configuration change control element that convenes at the organization-defined frequency and/or for any organization-defined configuration change conditions.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system configuration change control; information system architecture and configuration documentation; security plan; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-3/2

Determine if the organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system configuration change control; information system design documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-4

Determine if the organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing security impact analysis for changes to the information system; security impact analysis documentation; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for determining security impacts prior to implementation of information system changes].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-5

Determine if the organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing access restrictions for changes to the information system; information system architecture and configuration documentation; change control records; information system audit records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with logical access control responsibilities; organizational personnel with physical access control responsibilities].

Test: [SELECT FROM: Change control process and associated restrictions for changes to the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-6

Determine if: (i) the organization defines security configuration checklists to be used to establish and document mandatory configuration settings for the information system technology products employed; (ii) the organization-defined security configuration checklists reflect the most restrictive mode consistent with operational requirements; (iii) the organization establishes and documents mandatory configuration settings for information technology products employed within the information system using organization-defined security configuration checklists; (iv) the organization implements the security configuration settings; (v) the organization identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements; and (vi) the organization monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; security plan; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security configuration responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-6/3

Determine if: (i) the organization incorporates detection of unauthorized, security-relevant configuration changes into the organization's incident response capability; and (ii) the organization ensures that such detected events are tracked, monitored, corrected, and available for historical purposes.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration settings for the information system; procedures addressing incident response planning; information system design documentation; information system configuration settings and associated documentation; incident response plan; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with security configuration responsibilities; organization personnel with incident response planning responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-7

Determine if: (i) the organization defines for the information system prohibited or restricted: functions; ports; protocols; and services; (ii) the organization configures the information system to provide only essential capabilities; and (iii) the organization configures the information system to specifically prohibit or restrict the use of organization-defined: functions; ports; protocols; and/or services.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the information system; security plan; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Test: [SELECT FROM: Information system for disabling or restricting functions, ports, protocols, and services].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-7/1

Determine if: (i) the organization defines the frequency of information system reviews to identify and eliminate unnecessary: functions; ports; protocols; and/or services; and (ii) the organization reviews the information system in accordance with organization-defined frequency to identify and eliminate unnecessary: functions; ports; protocols; and/or services.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the information system; security plan; information system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with responsibilities for identifying and eliminating unnecessary functions, ports, protocols, and services on the information system].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-8

Determine if: (i) the organization defines information deemed necessary to achieve effective property accountability; and (ii) the organization develops, documents, and maintains an inventory of information system components that: accurately reflects the current information system; is consistent with the authorization boundary of the information system; is at the level of granularity deemed necessary for tracking and reporting; includes organization-defined information deemed necessary to achieve effective property accountability; and is available for review and audit by designated organizational officials.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; security plan; information system inventory records; other relevant documents or records].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-8/1

Determine if the organization updates the inventory of information system components as an integral part of component: installations; removals; and information system updates.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; information system inventory records; component installation records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system installation and inventory responsibilities].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-8/5

Determine if the organization verifies that all components within the authorization boundary of the information system are either inventoried as a part of the system or recognized by another system as a component within that system.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing information system component inventory; security plan; information system inventory records; component installation records; other relevant documents or records].

Interview: [SELECT FROM: Organizational personnel with information system inventory responsibilities; organizational personnel with responsibilities for defining information system components within the authorization boundary of the system].

Template:Doc:NIST SP 800-53r3 Appendix F/CM-9

Determine if the organization develops, documents, and implements a configuration management plan for the information system that: addresses roles, responsibilities, and configuration management processes and procedures; defines the configuration items for the information system and when in the system development life cycle the configuration items are placed under configuration management; and establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the configuration of the configuration items.

POTENTIAL ASSESSMENT METHODS AND OBJECTS:

Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing configuration management planning; security plan; other relevant documents or records].