compliance controls are associated with this Policy definition 'Develop configuration management plan' (04837a26-2601-1982-3da7-bf463e6408f4)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CM-9 |
FedRAMP_High_R4_CM-9 |
FedRAMP High CM-9 |
Configuration Management |
Configuration Management Plan |
Shared |
n/a |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification.
Supplemental Guidance: Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10.
References: NIST Special Publication 800-128. |
link |
6 |
| FedRAMP_Moderate_R4 |
CM-9 |
FedRAMP_Moderate_R4_CM-9 |
FedRAMP Moderate CM-9 |
Configuration Management |
Configuration Management Plan |
Shared |
n/a |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification.
Supplemental Guidance: Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10.
References: NIST Special Publication 800-128. |
link |
6 |
| hipaa |
0602.06g1Organizational.3-06.g |
hipaa-0602.06g1Organizational.3-06.g |
0602.06g1Organizational.3-06.g |
06 Configuration Management |
0602.06g1Organizational.3-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
The results and recommendations of the reviews are documented and approved by management. |
|
10 |
| hipaa |
0636.10k2Organizational.1-10.k |
hipaa-0636.10k2Organizational.1-10.k |
0636.10k2Organizational.1-10.k |
06 Configuration Management |
0636.10k2Organizational.1-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization formally addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance for configuration management (e.g., through policies, standards, processes). |
|
8 |
| hipaa |
0637.10k2Organizational.2-10.k |
hipaa-0637.10k2Organizational.2-10.k |
0637.10k2Organizational.2-10.k |
06 Configuration Management |
0637.10k2Organizational.2-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization has developed, documented, and implemented a configuration management plan for the information system. |
|
7 |
| hipaa |
0644.10k3Organizational.4-10.k |
hipaa-0644.10k3Organizational.4-10.k |
0644.10k3Organizational.4-10.k |
06 Configuration Management |
0644.10k3Organizational.4-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization employs automated mechanisms to (i) centrally manage, apply, and verify configuration settings; (ii) respond to unauthorized changes to network and system security-related configuration settings; and, (iii) enforce access restrictions and auditing of the enforcement actions. |
|
20 |
| hipaa |
0669.10hCSPSystem.1-10.h |
hipaa-0669.10hCSPSystem.1-10.h |
0669.10hCSPSystem.1-10.h |
06 Configuration Management |
0669.10hCSPSystem.1-10.h 10.04 Security of System Files |
Shared |
n/a |
Open and published APIs are used by cloud service providers to ensure support for interoperability between components and to facilitate migrating applications. |
|
16 |
| hipaa |
0821.09m2Organizational.2-09.m |
hipaa-0821.09m2Organizational.2-09.m |
0821.09m2Organizational.2-09.m |
08 Network Protection |
0821.09m2Organizational.2-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization tests and approves all network connections and firewall, router, and switch configuration changes prior to implementation. Any deviations from the standard configuration or updates to the standard configuration are documented and approved in a change control system. All new configuration rules beyond a baseline-hardened configuration that allow traffic to flow through network security devices, such as firewalls and network-based IPS, are also documented and recorded, with a specific business reason for each change, a specific individual’s name responsible for that business need, and an expected duration of the need. |
|
18 |
| hipaa |
0869.09m3Organizational.19-09.m |
hipaa-0869.09m3Organizational.19-09.m |
0869.09m3Organizational.19-09.m |
08 Network Protection |
0869.09m3Organizational.19-09.m 09.06 Network Security Management |
Shared |
n/a |
The router configuration files are secured and synchronized. |
|
11 |
| ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
| NIST_SP_800-53_R4 |
CM-9 |
NIST_SP_800-53_R4_CM-9 |
NIST SP 800-53 Rev. 4 CM-9 |
Configuration Management |
Configuration Management Plan |
Shared |
n/a |
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the information system and places the configuration items under configuration management; and
d. Protects the configuration management plan from unauthorized disclosure and modification.
Supplemental Guidance: Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual information systems. Such plans define detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. Configuration management plans are typically developed during the development/acquisition phase of the system development life cycle. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. Organizations can employ templates to help ensure consistent and timely development and implementation of configuration management plans. Such templates can represent a master configuration management plan for the organization at large with subsets of the plan implemented on a system by system basis. Configuration management approval processes include designation of key management stakeholders responsible for reviewing and approving proposed changes to information systems, and personnel that conduct security impact analyses prior to the implementation of changes to the systems. Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration-managed. As information systems continue through the system development life cycle, new configuration items may be identified and some existing configuration items may no longer need to be under configuration control. Related controls: CM-2, CM-3, CM-4, CM-5, CM-8, SA-10.
References: NIST Special Publication 800-128. |
link |
6 |
| NIST_SP_800-53_R5 |
CM-9 |
NIST_SP_800-53_R5_CM-9 |
NIST SP 800-53 Rev. 5 CM-9 |
Configuration Management |
Configuration Management Plan |
Shared |
n/a |
Develop, document, and implement a configuration management plan for the system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the system and places the configuration items under configuration management;
d. Is reviewed and approved by [Assignment: organization-defined personnel or roles]; and
e. Protects the configuration management plan from unauthorized disclosure and modification. |
link |
6 |
|
op.exp.2 Security configuration |
op.exp.2 Security configuration |
404 not found |
|
|
|
n/a |
n/a |
|
112 |
|
op.exp.3 Security configuration management |
op.exp.3 Security configuration management |
404 not found |
|
|
|
n/a |
n/a |
|
123 |
|
op.exp.4 Security maintenance and updates |
op.exp.4 Security maintenance and updates |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.5 Change management |
op.exp.5 Change management |
404 not found |
|
|
|
n/a |
n/a |
|
71 |
|
op.mon.3 Monitoring |
op.mon.3 Monitoring |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |