Document and approve any changes to the Configuration Baseline Documentation Record.

Back

CONTROL ID
12104

CONTROL TYPE
Establish/Maintain Documentation

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain a Configuration Baseline Documentation Record., CC ID: 02130

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

Compare firewall, router, and switch configuration against standard secure configurations defined for each type of network device in use in the organization. The security configuration of such devices should be documented, reviewed, and approved by an organization change control board. Any deviation… (Control 11.1, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
Baseline security requirements shall be established for developed or acquired, organizationally-owned or managed, physical or virtual, applications and infrastructure system and network components that comply with applicable legal, statutory and regulatory compliance obligations. Deviations from sta… (GRM-01, Cloud Controls Matrix, v3.0)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Document the results of the verification. (CIP-010-4 Table R1 Part 1.4 Requirements 1.4.3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments. (CIP-010-4 Table R1 Part 1.5 Requirements 1.5.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
Authorize and document changes that deviate from the existing baseline configuration. (CIP-010-4 Table R1 Part 1.2 Requirements ¶ 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
Authorize and document changes that deviate from the existing baseline configuration. (CIP-010-2 Table R1 Part 1.2 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
Document the results of the verification. (CIP-010-2 Table R1 Part 1.4 Requirements 1.4.3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments. (CIP-010-2 Table R1 Part 1.5 Requirements 1.5.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
Document the results of the verification. (CIP-010-3 Table R1 Part 1.4 Requirements 1.4.3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
Authorize and document changes that deviate from the existing baseline configuration. (CIP-010-3 Table R1 Part 1.2 Requirements ¶ 1, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
Document the results of the testing and, if a test environment was used, the differences between the test environment and the production environment, including a description of the measures used to account for any differences in operation between the test and production environments. (CIP-010-3 Table R1 Part 1.5 Requirements 1.5.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., FedRAMP Security Controls High Baseline, Version 5)
Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., FedRAMP Security Controls Low Baseline, Version 5)
Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., FedRAMP Security Controls Moderate Baseline, Version 5)
Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Monitor and control changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., TX-RAMP Security Controls Baseline Level 1)
Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures. (CM-6d., TX-RAMP Security Controls Baseline Level 2)