CM: Configuration Management

The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and Reviews and updates the current: Configuration management policy…

The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.

The organization: Determines the types of changes to the information system that are configuration-controlled; Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; Documents configuration change decisions associated with the information system; Implements approved configuration-controlled changes to the information system; Retains records of…

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

The organization: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; Implements the configuration settings; Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment:…

The organization: Configures the information system to provide only essential capabilities; and Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].

The organization: Develops and documents an inventory of information system components that: Accurately reflects the current information system; Includes all components within the authorization boundary of the information system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability];…

The organization develops, documents, and implements a configuration management plan for the information system that: Addresses roles, responsibilities, and configuration management processes and procedures; Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items; Defines the configuration items for the information system and…

The organization: Uses software and associated documentation in accordance with contract agreements and copyright laws; Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution,…

The organization: Establishes [Assignment: organization-defined policies] governing the installation of software by users; Enforces software installation policies through [Assignment: organization-defined methods]; and Monitors policy compliance at [Assignment: organization-defined frequency].