Back

Provide a Configuration Management plan by the Information System developer for all newly acquired assets.


CONTROL ID
01446
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Include security requirements in system acquisition contracts., CC ID: 01124

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It may be prudent that a fast-track software and hardware procurement process is formulated, which includes making prior arrangement with the related software and hardware providers to allow upgrading of system capacity within a short period of time when such a need arises. In any case, adequate end… (§ 9.2.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • It may be prudent that a fast-track software and hardware procurement process is formulated, which includes making prior arrangement with the related software and hardware providers to allow upgrading of system capacity within a short period of time when such a need arises. In any case, adequate end… (§ 9.2.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. (PI1.1 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services. (SA-9(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services. (SA-9(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; (SA-10a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services. (SA-9(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; (SA-10a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. (PI1.1, Trust Services Criteria)
  • The entity obtains or generates, uses, and communicates relevant, quality information regarding the objectives related to processing, including definitions of data processed and product and service specifications, to support the use of products and services. (PI1.1 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • The device manufacturer needs to define the required hardware configurations, software configurations, software versions, utilities, and operating environments. (§ 6.2 ¶ 2, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The device manufacturer needs to document the requirements for system performance, quality, error handling, startup, shutdown, security, and more. (§ 6.2 ¶ 2 Bullet 1, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The device manufacturer needs to identify safety related functions or features, such as alarms, interlocks, command sequences, and logical processing steps. (§ 6.2 ¶ 2 Bullet 2, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • Perform configuration management during system, component, or service [FedRAMP Selection: development, implementation, AND operation]; (SA-10a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization requires providers of [FedRAMP Assignment: all external systems where Federal information is processed or stored] to identify the functions, ports, protocols, and other services required for the use of such services. (SA-9(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization requires providers of [FedRAMP Assignment: all external systems where Federal information is processed or stored] to identify the functions, ports, protocols, and other services required for the use of such services. (SA-9(2) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Perform configuration management during system, component, or service [FedRAMP Selection: development, implementation, AND operation]; (SA-10a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., FedRAMP Security Controls High Baseline, Version 5)
  • Deliver the system, component, or service with [FedRAMP Assignment: The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is… (SA-4(5) ¶ 1(a), FedRAMP Security Controls High Baseline, Version 5)
  • Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [FedRAMP Assignment: all external systems where Federal information is processed or stored]. (SA-9(2) ¶ 1, FedRAMP Security Controls High Baseline, Version 5)
  • Perform configuration management during system, component, or service [FedRAMP Assignment: design; development, implementation, AND operation]; (SA-10a., FedRAMP Security Controls High Baseline, Version 5)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., FedRAMP Security Controls Low Baseline, Version 5)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [FedRAMP Assignment: all external systems where Federal information is processed or stored]. (SA-9(2) ¶ 1, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Perform configuration management during system, component, or service [FedRAMP Assignment: development, implementation, AND operation]; (SA-10a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation; disposal]; (SA-10a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services]. (SA-9(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and (SA-4(5) ¶ 1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services]. (SA-9(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation; disposal]; (SA-10a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation; disposal]; (SA-10a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and (SA-4(5) ¶ 1(a), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation; disposal]; (SA-10a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure a system developer configuration management plan exists; the plan controls changes to the system, tracks security flaws, and requires changes to be authorized; and that specific responsibilities and actions are defined for the impleme… (SA-10, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services. (SA-9(2) ¶ 1 Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services. (SA-9(2) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; (SA-10a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; (SA-10a. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must obtain information that describes the security controls' functional properties that are used in the smart grid Information System from the contractor or third party. (SG.SA-5 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must require smart grid system developers and integrators to document and implement a Configuration Management process that manages and controls system changes during design, development, implementation, and operation. (SG.SA-9 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must require smart grid Information System developers and integrators to document and implement a Configuration Management process that tracks all of the security flaws. (SG.SA-9 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must require smart grid Information System developers and integrators to document and implement a Configuration Management process that includes an approval of the changes. (SG.SA-9 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should require that the acquisition document states that the system components are to be delivered in a secure, documented configuration, and the secure configuration is the default configuration for software upgrades or reinstallations. (App F § SA-4(5), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must require system developers and integrators to perform Configuration Management during system design, development, implementation, and operation. (App F § SA-10.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization requires the developer of the information system, system component, or information system service to deliver the system, component, or service with {organizationally documented security configurations} implemented. (SA-4(5)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to use the configurations as the default for any subsequent system, component, or service reinstallation or upgrade. (SA-4(5)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires providers of {organizationally documented external information system services} to identify the functions, ports, protocols, and other services required for the use of such services. (SA-9(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service {design}. (SA-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service {development}. (SA-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service {implementation}. (SA-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service {operation}. (SA-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team. (SA-10(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires providers of {organizationally documented external information system services} to identify the functions, ports, protocols, and other services required for the use of such services. (SA-9(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service {design}. (SA-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service {development}. (SA-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service {implementation}. (SA-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service {operation}. (SA-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires providers of {organizationally documented external information system services} to identify the functions, ports, protocols, and other services required for the use of such services. (SA-9(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service {design}. (SA-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service {development}. (SA-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service {implementation}. (SA-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to perform configuration management during system, component, or service {operation}. (SA-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services. (SA-9(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; (SA-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services. (SA-9(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; (SA-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization requires providers of [Assignment: organization-defined external information system services] to identify the functions, ports, protocols, and other services required for the use of such services. (SA-9(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and (SA-4(5)(a), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; (SA-10a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and (SA-4(5) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation; disposal]; (SA-10a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services]. (SA-9(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and (SA-4(5) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation; disposal]; (SA-10a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Require providers of the following external system services to identify the functions, ports, protocols, and other services required for the use of such services: [Assignment: organization-defined external system services]. (SA-9(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Deliver the system, component, or service with [Assignment: organization-defined security configurations] implemented; and (SA-4(5) ¶ 1(a), Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; (SA-10a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., TX-RAMP Security Controls Baseline Level 1)
  • Secure configuration, installation, and operation of the system, component, or service; (SA-5a.1., TX-RAMP Security Controls Baseline Level 2)
  • Perform configuration management during system, component, or service [TX-RAMP Selection (one or more): development, implementation, AND operation]; (SA-10a., TX-RAMP Security Controls Baseline Level 2)
  • The organization requires providers of [TX-RAMP Assignment: All external systems where State information is processed or stored] to identify the functions, ports, protocols, and other services required for the use of such services. (SA-9(2) ¶ 1, TX-RAMP Security Controls Baseline Level 2)