Back

Establish, implement, and maintain configuration management procedures.


CONTROL ID
14074
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a configuration management policy., CC ID: 14023

This Control has the following implementation support Control(s):
  • Disseminate and communicate the configuration management procedures to interested personnel and affected parties., CC ID: 14139


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The control system shall provide the capability to be configured according to recommended network and security configurations as described in guidelines provided by the control system supplier. The control system shall provide an interface to the currently deployed network and security configuration… (11.8.1 ¶ 1, IEC 62443-3-3: Industrial communication networks – Network and system security – Part 3-3: System security requirements and security levels, Edition 1)
  • Components shall provide the capability to be configured according to recommended network and security configurations as described in guidelines provided by the control system supplier. The component shall provide an interface to the currently deployed network and security configuration settings. (11.8.1 ¶ 1, IEC 62443-4-2: Security for industrial automation and control systems – Part 4-2: Technical security requirements for IACS components, Edition 1.0)
  • Documented. (2.1.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Kept up to date. (2.1.1 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • In use. (2.1.1 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation and interview personnel to verify that security policies and operational procedures identified in Requirement 2 are managed in accordance with all elements specified in this requirement. (2.1.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Documented. (2.1.1 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (2.1.1 Bullet 2, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (2.1.1 Bullet 3, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (2.1.1 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (2.1.1 Bullet 2, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (2.1.1 Bullet 3, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (2.1.1 Bullet 1, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (2.1.1 Bullet 2, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (2.1.1 Bullet 3, Self-Assessment Questionnaire C-VT and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (2.1.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (2.1.1 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (2.1.1 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Documented. (2.1.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • In use. (2.1.1 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Kept up to date. (2.1.1 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Configuration management procedures [Assignment: organization-defined frequency]. (CM-1b.2., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Configuration management procedures [Assignment: organization-defined frequency]. (CM-1b.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Configuration management procedures [Assignment: organization-defined frequency]. (CM-1b.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Configuration management procedures [Assignment: organization-defined frequency]. (CM-1b.2., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Generally, IT processing is inherently consistent; therefore, the service auditor may be able to limit the testing to one or a few instances of the control operation. An automated control usually functions consistently unless the program, including the tables, files, or other permanent data used by … (¶ 3.138, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Generally, IT processing is inherently consistent; therefore, the service auditor may be able to limit the testing to one or a few instances of a control's operation. An automated control usually functions consistently unless the program, including the tables, files, or other permanent data used by … (¶ 3.153, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • IaaS/PaaS: Securely configure (harden / STIG) / patch / maintain each application provided/installed by the Mission Owner IAW DoD policy and USCYBERCOM direction. The use of DoD STIGs and SRGs is required for secure configuration as is compliance with IAVMs. (Section 5.10.6 ¶ 1 Bullet 8, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • Configuration management processes. (VI.B Action Summary ¶ 2 Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Configuration management procedures [FedRAMP Assignment: at least annually or whenever a significant change occurs]. (CM-1b.2. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Configuration management procedures [FedRAMP Assignment: at least annually]. (CM-1b.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Configuration management procedures [FedRAMP Assignment: at least annually]. (CM-1b.2. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; (CM-1a.2., FedRAMP Security Controls High Baseline, Version 5)
  • Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (CM-1c.2., FedRAMP Security Controls High Baseline, Version 5)
  • Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; (CM-1a.2., FedRAMP Security Controls Low Baseline, Version 5)
  • Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (CM-1c.2., FedRAMP Security Controls Low Baseline, Version 5)
  • Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; (CM-1a.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Procedures [FedRAMP Assignment: at least annually] and following [FedRAMP Assignment: significant changes]. (CM-1c.2., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CM-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; (CM-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CM-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; (CM-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; (CM-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CM-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CM-1c.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; (CM-1a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; (CM-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CM-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; (CM-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CM-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; (CM-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CM-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; (CM-1a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CM-1c.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Configuration management procedures [Assignment: organization-defined frequency]. (CM-1b.2. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Configuration management procedures [Assignment: organization-defined frequency]. (CM-1b.2. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Configuration management procedures [Assignment: organization-defined frequency]. (CM-1b.2. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Configuration management procedures [Assignment: organization-defined frequency]. (CM-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Configuration management procedures [Assignment: organization-defined frequency]. (CM-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Configuration management procedures [Assignment: organization-defined frequency]. (CM-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Configuration management procedures [Assignment: organization-defined frequency]. (CM-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization provides an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team. (SA-10(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; (CM-1a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CM-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team. (SA-10(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; (CM-1a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. (CM-1c.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team. (SA-10(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Configuration management procedures [Assignment: organization-defined frequency]. (CM-1b.2., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Configuration management practices are established and applied (PR.PS-01, The NIST Cybersecurity Framework, v2.0)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2., TX-RAMP Security Controls Baseline Level 1)
  • Configuration management procedures [TX-RAMP Assignment: at least annually]. (CM-1b.2., TX-RAMP Security Controls Baseline Level 1)
  • Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and (CM-1a.2., TX-RAMP Security Controls Baseline Level 2)
  • Configuration management procedures [TX-RAMP Assignment: at least annually]. (CM-1b.2., TX-RAMP Security Controls Baseline Level 2)