Back

Establish, implement, and maintain configuration control and Configuration Status Accounting.


CONTROL ID
00863
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Configuration Management program., CC ID: 00867

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain appropriate system labeling., CC ID: 01900
  • Verify configuration files requiring passwords for automation do not contain those passwords after the installation process is complete., CC ID: 06555


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • To detect malicious programs, the organization should compare the original library files with the current files being used and properly manage file revision records. (T50.2(4), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The information security policy should include configuration control. (Control: 0890 Bullet 3, Australian Government Information Security Manual: Controls)
  • The organization should record the system configuration for all servers whose functions are critical and ones that are high risk of compromise. (Control: 0386 Bullet 1, Australian Government Information Security Manual: Controls)
  • The organization should control the mobile device configuration in the same way that it controls the configuration of devices in the office environment. (Control: 0862, Australian Government Information Security Manual: Controls)
  • configuration management controls to ensure that the configuration minimises vulnerabilities and is defined, assessed, registered and maintained; (¶ 54(b), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Configuration control is concerned with ensuring that only authorized and identifiable CIs are recorded from receipt to disposal. It ensures that no CI is added, modified, replaced or removed without appropriate controlling documentation e.g. an approved Change request. Configuration status accounti… (§ 7.3.3, § 7.3.4, OGC ITIL: Service Support)
  • Are the systems properly configured according to the architecture? (Table Row I.21, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does the organization have a standard desktop configuration? (Table Row VI.12, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Configuration change control allows changes or additions to the system to be monitored, so if an addition or change is unauthorized, then action can be taken before a security incident happens. System reports should be enabled to create a baseline configuration document. (§ 3.5, The Center for Internet Security Open Enterprise Server: NetWare (v1) Consensus Baseline Security Settings Benchmark, 1)
  • The organization should establish configuration management procedures, including patch management and configuration control. (§ 2.2 (2.2.010), The Center for Internet Security Wireless Networking Benchmark, 1)
  • Are common system security parameters included in the system configuration standards? (PCI DSS Question 2.2.4(b), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Are common system security parameters included in the system configuration standards? (PCI DSS Question 2.2.4(b), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Are common system security parameters included in the system configuration standards? (PCI DSS Question 2.2.4(b), PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Are common system security parameters included in the system configuration standards? (PCI DSS Question 2.2.4(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are common system security parameters included in the system configuration standards? (PCI DSS Question 2.2.4(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Servers should be configured in accordance with documented standards / procedures, which should cover performing standard security management practices. (CF.07.02.01e, The Standard of Good Practice for Information Security)
  • Servers should be subject to standard security management practices, which includes keeping them up-to-date (e.g., by applying approved Change Management and patch management processes). (CF.07.02.06b, The Standard of Good Practice for Information Security)
  • Networks should be supported by documentation, which includes configurations and settings for in-house telephone exchanges. (CF.09.02.03d, The Standard of Good Practice for Information Security)
  • Computing devices used by staff working in remote environments should be supplied with standard, technical configurations (e.g., pre-configured to run a standard Operating System, standard applications, and common communications software). (CF.14.01.04a, The Standard of Good Practice for Information Security)
  • Networks should be supported by documentation, which includes configurations and settings for in-house telephone exchanges. (CF.09.02.03d, The Standard of Good Practice for Information Security, 2013)
  • Servers should be configured in accordance with documented standards / procedures, which should cover performing standard security management practices. (CF.07.02.01f, The Standard of Good Practice for Information Security, 2013)
  • Servers should be subject to standard security management practices, which includes keeping them up-to-date (e.g., by applying approved Change Management and patch management processes). (CF.07.02.09b, The Standard of Good Practice for Information Security, 2013)
  • Server images should be reviewed, tested, and kept up-to-date (i.e., with recent patches and changes to build / configuration). (CF.07.02.04, The Standard of Good Practice for Information Security, 2013)
  • Arrangements should be made to ensure that once changes have been applied, standard secure configurations (e.g., 'server images' and standard builds) are updated, to ensure changes apply to new builds. (CF.07.06.05g, The Standard of Good Practice for Information Security, 2013)
  • The organization should develop a formal configuration control process and management infrastructure for mobile devices. (Critical Control 3.13, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • When a product is being updated to a new version, the configuration management system should automatically keep track of the changes between the two versions. (§ 13.1, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • The configuration management plan should identify all the items being maintained by configuration control. Automated measures should be in place to ensure only authorized changes are made during the building of the final product by identifying individuals allowed to make changes. (§ 11.4.1.4.4, § 12.4.1.3.4, § 13.4.1, § 13.4.1.3.4, § 13.4.2.3.16, § 13.4.2.3.17, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • Documented procedures shall exist for recording, controlling, and tracking the Configuration Item versions. (§ 9.1 ¶ 3, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The configuration process should ensure that only authorized and identifiable configuration items are accepted and recorded from receipt to disposal. No configuration item should be added, modified, replaced or removed/withdrawn without appropriate controlling documentation, e.g. approved change req… (§ 9.1.3, § 9.1.4, ISO 20000-2 Information technology - Service Management Part 2, 2005)
  • At planned intervals, the organization shall verify the accuracy of the configuration information. Where deficiencies are found, the organization shall take necessary actions. (§ 8.2.6 ¶ 4, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • A process is in place to select, implement, maintain, and monitor configuration parameters used to control the functionality of developed and acquired software. (CC8.1 ¶ 3 Bullet 6 Configures Software, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Components shall provide the capability to be configured according to recommended network and security configurations as described in guidelines provided by the control system supplier. The component shall provide an interface to the currently deployed network and security configuration settings. (11.8.1 ¶ 1, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. (CM-2(3) ¶ 1, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. (CM-6(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. (CM-2(3) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. (CM-6(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. (CM-2(3) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. (CM-6(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management. (CM-3(6) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • A process is in place to select and implement the configuration parameters used to control the functionality of software. (CC8.1 Configures Software, Trust Services Criteria)
  • A process is in place to select and implement the configuration parameters used to control the functionality of software. (CC8.1 ¶ 2 Bullet 6 Configures Software, Trust Services Criteria, (includes March 2020 updates))
  • When desktop computers are used to transmit scoped systems and data, is the installation of software on company-owned equipment (workstations, mobile devices) restricted to administrators? (§ G.22.11, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to process scoped systems and data, is the installation of software on company-owned equipment (workstations, mobile devices) restricted to administrators? (§ G.22.11, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When desktop computers are used to store scoped systems and data, is the installation of software on company-owned equipment (workstations, mobile devices) restricted to administrators? (§ G.22.11, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Configuration management controls should be used to keep software under strict control to prevent unauthorized changes. A master copy of the software should be kept and never altered. (§ 2-4.f, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • Users should be restricted to a list of accounts they may access. If a user requires access to more than five accounts, the Account May Be User Entered flag may be set. The System Administrator should ensure users who require access to less than five accounts cannot enter an account name during sign… (§ 3.1.3.11.3, § 3.2.1, § 3.1.8.3 thru § 3.1.8.5, § 6.3, § 7.2.2, § 7.2.3, § 8.9.3, Defense Information Systems Agency UNISYS Security Technical Implementation Guide Version 7 Release 2, 28 August 2006)
  • The Information Assurance Officer, for all networked medical devices, will utilize configuration control policies. (§ 3.2.5 (MED0090: CAT III), Medical Devices Security Technical Implementation Guide, Version 1, Release 1)
  • IaaS: Securely configure (harden / STIG) / patch / maintain each VM's OS and IAW DoD policy and CYBERCOM direction. The use of DoD STIGs and SRGs is required for secure configuration as is compliance with IAVMs. (Section 5.10.6 ¶ 1 Bullet 6, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • PaaS: For those VM OSs and applications under direct management of the Mission Owner (not the CSP per contract), securely configure (harden /STIG) / patch / maintain each VM's OS and application provided by the CSP IAW DoD policy and United States Cyber Command (USCYBERCOM) direction. The use of DoD… (Section 5.10.6 ¶ 1 Bullet 7, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • The joint authorization board must approve and accept the elements of the cloud environment that require system use notification. (Column F: AC-8, FedRAMP Baseline Security Controls)
  • The service provider shall use the level 1 guidelines from the center for internet security in order to establish configuration settings, if the united states government configuration baseline is not available. (Column F: CM-6a, FedRAMP Baseline Security Controls)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization retains [FedRAMP Assignment: organization-defined previous versions of baseline configurations of the previously approved baseline configuration of IS components] to support rollback. (CM-2(3) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization ensures that cryptographic mechanisms used to provide [FedRAMP Assignment: All security safeguards that rely on cryptography] are under configuration management. (CM-3(6) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. (CM-6(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. (CM-2(3) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. (CM-6(1) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. (CM-6(1) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and (AC-18a., FedRAMP Security Controls High Baseline, Version 5)
  • Retain [FedRAMP Assignment: organization-defined number of previous versions of baseline configurations of the previously approved baseline configuration of IS components] of previous versions of baseline configurations of the system to support rollback. (CM-2(3) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [FedRAMP Assignment: All security safeguards that rely on cryptography]. (CM-3(6) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [FedRAMP Assignment: all]. (SR-11(2) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and (AC-18a., FedRAMP Security Controls Low Baseline, Version 5)
  • Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [FedRAMP Assignment: all]. (SR-11(2) ¶ 1, FedRAMP Security Controls Low Baseline, Version 5)
  • Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. (CM-6(1) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and (AC-18a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Retain [FedRAMP Assignment: organization-defined number of previous versions of baseline configurations of the previously approved baseline configuration of IS components] of previous versions of baseline configurations of the system to support rollback. (CM-2(3) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [FedRAMP Assignment: all]. (SR-11(2) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Is the Intrusion Detection System configured in the manufacturer's specifications? (IT - IDS IPS Q 11, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and (AC-18a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [Assignment: organization-defined controls]. (CM-3(6) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. (CM-6(1) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback. (CM-2(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [Assignment: organization-defined system components]. (SR-11(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and (AC-18a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [Assignment: organization-defined system components]. (SR-11(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and (AC-18a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback. (CM-2(3) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [Assignment: organization-defined system components]. (SR-11(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and (AC-18a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [Assignment: organization-defined system components]. (SR-11(2) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and (AC-18a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [Assignment: organization-defined system components]. (SR-11(2) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and (AC-18a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [Assignment: organization-defined system components]. (SR-11(2) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. (CM-6(1) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and (AC-18a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile. (3.5.3e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • WLAN security should be incorporated into all phases of the lifecycle. (§ 10.5, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i, NIST SP 800-97, February 2007)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. (CM-2(3) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. (CM-2(3) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. (CM-6(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization should document all configuration settings that are changed. (SG.CM-6 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use automated mechanisms for managing, applying, and verifying the configuration settings. (SG.CM-6 Additional Considerations A1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should keep older versions of the baseline configuration to support rollback. (App F § CM-2(3), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization retains {organizationally documented previous versions of baseline configurations of the information system} to support rollback. (CM-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization ensures that cryptographic mechanisms used to provide {organizationally documented security safeguards} are under configuration management. (CM-3(6), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for {organizationally documented information system components}. (CM-6(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization maintains configuration control over {organizationally documented information system components} awaiting service/repair and serviced/repaired components awaiting return to service. (SA-19(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization retains {organizationally documented previous versions of baseline configurations of the information system} to support rollback. (CM-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for {organizationally documented information system components}. (CM-6(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization retains {organizationally documented previous versions of baseline configurations of the information system} to support rollback. (CM-2(3), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. (CM-2(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. (CM-6(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. (CM-2(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. (CM-2(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. (CM-6(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management. (CM-3(6) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service. (SA-19(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [Assignment: organization-defined system components]. (SR-11(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [Assignment: organization-defined controls]. (CM-3(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. (CM-6(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback. (CM-2(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and (AC-18a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Maintain configuration control over the following system components awaiting service or repair and serviced or repaired components awaiting return to service: [Assignment: organization-defined system components]. (SR-11(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [Assignment: organization-defined controls]. (CM-3(6) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms]. (CM-6(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Retain [Assignment: organization-defined number] of previous versions of baseline configurations of the system to support rollback. (CM-2(3) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establish configuration requirements, connection requirements, and implementation guidance for each type of wireless access; and (AC-18a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. (CM-6(1) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization maintains configuration control over [Assignment: organization-defined information system components] awaiting service/repair and serviced/repaired components awaiting return to service. (SA-19(2) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a., TX-RAMP Security Controls Baseline Level 1)
  • Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and (AC-18a., TX-RAMP Security Controls Baseline Level 2)
  • The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. (CM-2(3) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components]. (CM-6(1) ¶ 1, TX-RAMP Security Controls Baseline Level 2)