compliance controls are associated with this Policy definition 'Retain previous versions of baseline configs' (5e4e9685-3818-5934-0071-2620c4fa2ca5)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CM-2(3) |
FedRAMP_High_R4_CM-2(3) |
FedRAMP High CM-2 (3) |
Configuration Management |
Retention Of Previous Configurations |
Shared |
n/a |
The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback.
Supplemental Guidance: Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records. |
link |
1 |
| FedRAMP_Moderate_R4 |
CM-2(3) |
FedRAMP_Moderate_R4_CM-2(3) |
FedRAMP Moderate CM-2 (3) |
Configuration Management |
Retention Of Previous Configurations |
Shared |
n/a |
The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback.
Supplemental Guidance: Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records. |
link |
1 |
| hipaa |
0618.09b1System.1-09.b |
hipaa-0618.09b1System.1-09.b |
0618.09b1System.1-09.b |
06 Configuration Management |
0618.09b1System.1-09.b 09.01 Documented Operating Procedures |
Shared |
n/a |
Changes to information assets, including systems, networks, and network services, are controlled and archived. |
|
16 |
| hipaa |
0627.10h1System.45-10.h |
hipaa-0627.10h1System.45-10.h |
0627.10h1System.45-10.h |
06 Configuration Management |
0627.10h1System.45-10.h 10.04 Security of System Files |
Shared |
n/a |
The organization maintains information systems according to a current baseline configuration and configures system security parameters to prevent misuse. Vendor supplied software used in operational systems is maintained at a level supported by the supplier and uses the latest version of web browsers on operational systems to take advantage of the latest security functions in the application. |
|
11 |
| hipaa |
0643.10k3Organizational.3-10.k |
hipaa-0643.10k3Organizational.3-10.k |
0643.10k3Organizational.3-10.k |
06 Configuration Management |
0643.10k3Organizational.3-10.k 10.05 Security In Development and Support Processes |
Shared |
n/a |
The organization (i) establishes and documents mandatory configuration settings for information technology products employed within the information system using the latest security configuration baselines; (ii) identifies, documents, and approves exceptions from the mandatory established configuration settings for individual components based on explicit operational requirements; and, (iii) monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. |
|
17 |
| NIST_SP_800-171_R2_3 |
.4.1 |
NIST_SP_800-171_R2_3.4.1 |
NIST SP 800-171 R2 3.4.1 |
Configuration Management |
Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Baseline configurations are documented, formally reviewed, and agreed-upon specifications for systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and changes to systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and update and patch information on operating systems and applications; and configuration settings and parameters), network topology, and the logical placement of those components within the system architecture. Baseline configurations of systems also reflect the current enterprise architecture. Maintaining effective baseline configurations requires creating new baselines as organizational systems change over time. Baseline configuration maintenance includes reviewing and updating the baseline configuration when changes are made based on security risks and deviations from the established baseline configuration. Organizations can implement centralized system component inventories that include components from multiple organizational systems. In such situations, organizations ensure that the resulting inventories include system-specific information required for proper component accountability (e.g., system association, system owner). Information deemed necessary for effective accountability of system components includes hardware inventory specifications, software license information, software version numbers, component owners, and for networked components or devices, machine names and network addresses. Inventory specifications include manufacturer, device type, model, serial number, and physical location. [SP 800-128] provides guidance on security-focused configuration management. |
link |
31 |
| NIST_SP_800-53_R4 |
CM-2(3) |
NIST_SP_800-53_R4_CM-2(3) |
NIST SP 800-53 Rev. 4 CM-2 (3) |
Configuration Management |
Retention Of Previous Configurations |
Shared |
n/a |
The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback.
Supplemental Guidance: Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records. |
link |
1 |
| NIST_SP_800-53_R5 |
CM-2(3) |
NIST_SP_800-53_R5_CM-2(3) |
NIST SP 800-53 Rev. 5 CM-2 (3) |
Configuration Management |
Retention of Previous Configurations |
Shared |
n/a |
Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback. |
link |
1 |
| SWIFT_CSCF_v2022 |
2.3 |
SWIFT_CSCF_v2022_2.3 |
SWIFT CSCF v2022 2.3 |
2. Reduce Attack Surface and Vulnerabilities |
Reduce the cyber-attack surface of SWIFT-related components by performing system hardening. |
Shared |
n/a |
Security hardening is conducted and maintained on all in-scope components. |
link |
25 |