Back

Employ the Configuration Management program.


CONTROL ID
11904
CONTROL TYPE
Configuration
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Configuration Management program., CC ID: 00867

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. (2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. (2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Ensure that security policies and operational procedures for managing vendor defaults and other security parameters are documented, in use, and known to all affected parties. (2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are security protocols implemented to use only secure configurations, and to not support insecure versions or configurations? (4.1 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.1)
  • Are system configuration standards applied when new systems are configured? (2.2(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Are system configuration standards applied when new systems are configured? (2.2 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are security policies and operational procedures for managing vendor defaults and other security parameters: - Documented - In use - Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.1)
  • Are system configuration standards applied when new systems are configured? (2.2(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are security policies and operational procedures for managing vendor defaults and other security parameters: - Documented - In use - Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are security policies and operational procedures for managing vendor defaults and other security parameters: - Documented - In use - Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are security policies and operational procedures for managing vendor defaults and other security parameters: - Documented - In use - Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are system configuration standards applied when new systems are configured? (2.2(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are system configuration standards applied when new systems are configured? (2.2 (c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are security policies and operational procedures for managing vendor defaults and other security parameters: - Documented - In use - Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are system configuration standards applied when new systems are configured? (2.2(c), Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are security policies and operational procedures for managing vendor defaults and other security parameters: - Documented - In use - Known to all affected parties? (2.5, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine documentation and interview personnel to verify that security policies and operational procedures for managing vendor defaults and other security parameters are: - Documented, - In use, and - Known to all affected parties. (2.5, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., FedRAMP Security Controls High Baseline, Version 5)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile. (3.5.3e, Enhanced Security Requirements for Protecting Controlled Unclassified Information, NIST SP 800-172)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Employ secure configuration management processes. (T0084, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Employ configuration management processes. (T0326, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Perform system administration on specialized cyber defense applications and systems (e.g., antivirus, audit and remediation) or Virtual Private Network (VPN) devices, to include installation, configuration, maintenance, backup, and restoration. (T0180, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Oversee installation, implementation, configuration, and support of system components. (T0507, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Employ configuration management processes. (T0326, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Oversee installation, implementation, configuration, and support of system components. (T0507, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Employ secure configuration management processes. (T0084, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Perform system administration on specialized cyber defense applications and systems (e.g., antivirus, audit and remediation) or Virtual Private Network (VPN) devices, to include installation, configuration, maintenance, backup, and restoration. (T0180, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Defines the configuration items for the system and places the configuration items under configuration management; (CM-9c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Defines the configuration items for the information system and places the configuration items under configuration management; and (CM-9c., TX-RAMP Security Controls Baseline Level 2)