Back

Establish, implement, and maintain a configuration management plan.


CONTROL ID
01901
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Configuration Management program., CC ID: 00867

This Control has the following implementation support Control(s):
  • Include configuration management procedures in the configuration management plan., CC ID: 14248
  • Include roles and responsibilities in the configuration management plan., CC ID: 14247
  • Approve the configuration management plan., CC ID: 14717


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization shall develop configuration management documents. (O66.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The policy framework should include configuration standards. (¶ 27(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The network configuration should be under the control of a central network management authority. (§ 3.10.5, Australian Government ICT Security Manual (ACSI 33))
  • Are Active Directory (or equivalent directory services tools) controls used to centralise the management and deployment of hardening and lockdown policies? (Secure configuration Question 17, Cyber Essentials Scheme (CES) Questionnaire, Versions 3.3)
  • In case of IT services, configuration has been conceived, implemented and documented based on the necessary security requirements. (1.2.4 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • firms remain responsible for correctly identifying and classifying data in line with their legal and regulatory obligations, and adopting a risk based approach to the location of data. They also remain responsible for configuration and monitoring of their data in the cloud to reduce security and com… (Table 3 ¶ 1 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • Configuration Management planning consists of agreeing and defining: • the strategy, policy, scope and objectives of Configuration Management • the analysis of the current position of assets and configurations • the organizational context, both technical and managerial, within which the Conf… (§ 7.3.1, OGC ITIL: Service Support)
  • Verify the system configuration standards include procedures for implementing additional security features for required services, protocols, or daemons that are insecure. (Testing Procedures § 2.2.d Bullet 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Centralized management systems that can control and configure distributed wireless networks are recommended. (§ 4.4.1.D, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • The security configuration for firewalls, routers, and switches should be documented, reviewed, and approved by the Change Control Board. (Critical Control 10.1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The configuration control process for mobile devices should include denying unapproved applications, approving corporate applications, and conducting secure remote wipes of stolen devices or lost devices. For organizationally owned devices, a full wipe should be conducted, and a selective wipe of or… (Critical Control 3.13, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • A Configuration Management process shall be established and maintained to control version release during the Change Management process. (§ 4.5.1 ¶ 4, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • A configuration management plan should be developed. The plan should describe each automated tool and how it is used and ensure only authorized changes are made to configuration items. The configuration management system should automatically ensure only authorized changes are made to the product. (§ 13.1, § 13.2, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • The configuration management documentation should contain a configuration management plan and an acceptance plan. The configuration management plan should describe each of the automated tools that are used and tell how they are used. Interviews should be conducted with developers to ensure they use… (§ 12.4.1.3.5, § 13.4.1.3.5, § 13.4.1.3.6, § 13.4.1.4, § 13.4.2.3.5, § 13.4.2.3.6, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • The infrastructure and/or services should have up-to-date configuration management plan(s) that may be stand-alone or form part of other planning documents. They should include or describe: a) scope, objectives, policies, standards roles and responsibilities; b) the configuration management proces… (§ 9.1.1, ISO 20000-2 Information technology - Service Management Part 2, 2005)
  • The organization develops, documents, and implements a configuration management plan for the information system that: (CM-9 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization develops, documents, and implements a configuration management plan for the information system that: (CM-9 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization develops, documents, and implements a configuration management plan for the information system that: (CM-9 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • CMS business partners are not required to make verbatim use of all security configuration guides and checklists for configuring Medicare systems. CMS business partners shall establish and maintain an active configuration management program. CMS business partners shall include their "as designed/buil… (§ 3.10.1 ¶ 2, CMS Business Partners Systems Security Manual, Rev. 10)
  • Enforce port and protocol compliance. (SC.5.230, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • The organization must implement a Configuration Management process. (DCPR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The Configuration Management process must include defined roles and responsibilities. (DCPR-1(1), DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The Configuration Management process must include procedures for managing the Information Assurance information and documentation. (DCPR-1(1), DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The configuration management plan must include formal change control procedures, system security documentation procedures, processes for testing and verifying the configuration management plan, and a way to verify that the configuration management plan is working effectively. (§ 8-311, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • A Configuration Management Plan should be established and maintained to guide and control parallel development activities and to ensure proper communications and documentation. (§ 5.2.1 ¶ 2, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • Determine whether management has implemented and effectively utilizes operational control programs, processes, and tools such as: ▪ Performance management and capacity planning; ▪ User support processes; ▪ Project, change, and patch management; ▪ Conversion management; ▪ Standardization of… (Exam Tier I Obj 5.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization develops, documents, and implements a configuration management plan for the information system that: (CM-9 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization develops, documents, and implements a configuration management plan for the information system that: (CM-9 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Develop, document, and implement a configuration management plan for the system that: (CM-9 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Develop, document, and implement a configuration management plan for the system that: (CM-9 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • The organization must develop, document, distribute, and continuously update a configuration management policy and procedures for implementing configuration management security controls. (§ 5.6.5, Exhibit 4 CM-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Develop, document, and implement a configuration management plan for the system that: (CM-9 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Develop, document, and implement a configuration management plan for the system that: (CM-9 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Develop, document, and implement a configuration management plan for the system that: (CM-9 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Develop, document, and implement a configuration management plan for the system that: (CM-9 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Develop, document, and implement a configuration management plan for the system that: (CM-9 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • The organization shall implement a configuration management system for the cryptographic module, its components, and its documentation. The system shall assign and label each version of each configuration item with a unique identification number. (§ 4.10.1 ¶ 2, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
  • The organization develops, documents, and implements a configuration management plan for the information system that: (CM-9 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization develops, documents, and implements a configuration management plan for the information system that: (CM-9 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The configuration policy should include how to configure the software and hardware for the handheld devices; how to install patches and upgrades; which services and applications can be disabled and/or removed; which applications are required to be installed; how to set up user authentication mechani… (§ 4.2.5, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • Oversee and make recommendations regarding configuration management. (T0156, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should develop and implement a Configuration Management Plan that includes the roles, responsibilities, and Configuration Management processes and procedures. (SG.CM-11 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop, disseminate, review, and update formal, documented procedures to help implement the Configuration Management policy and associated controls. (App F § CM-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, document, and implement a Configuration Management Plan that includes the roles, responsibilities, and processes and procedures for Configuration Management. (App F § CM-9.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, document, and implement a Configuration Management Plan that defines the system configuration items and when, during the development lifecycle, these items must be placed under Configuration Management. (App F § CM-9.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, document, and implement a Configuration Management Plan that establishes the ways configuration items are identified throughout the development lifecycle and a process to manage the configuration of the configuration items. (App F § CM-9.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Oversee and make recommendations regarding configuration management. (T0156, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. (CM-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and implements a configuration management plan for the information system that: (CM-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. (CM-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items. (CM-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and implements a configuration management plan for the information system that defines the configuration items for the information system and places the configuration items under configuration management. (CM-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. (CM-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and implements a configuration management plan for the information system that: (CM-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. (CM-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items. (CM-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and implements a configuration management plan for the information system that defines the configuration items for the information system and places the configuration items under configuration management. (CM-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. (CM-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. (CM-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and implements a configuration management plan for the information system that: (CM-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and implements a configuration management plan for the information system that addresses roles, responsibilities, and configuration management processes and procedures. (CM-9a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and implements a configuration management plan for the information system that establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items. (CM-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and implements a configuration management plan for the information system that defines the configuration items for the information system and places the configuration items under configuration management. (CM-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and implements a configuration management plan for the information system that: (CM-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization develops, documents, and implements a configuration management plan for the information system that: (CM-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization develops, documents, and implements a configuration management plan for the information system that: (CM-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Develop, document, and implement a configuration management plan for the system that: (CM-9 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop, document, and implement a configuration management plan for the system that: (CM-9 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • The organization develops, documents, and implements a configuration management plan for the information system that: (CM-9 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization develops, documents, and implements a configuration management plan for the information system that: (CM-9 Control, TX-RAMP Security Controls Baseline Level 2)