CM - CONFIGURATION MANAGEMENT
CM-7(5): AUTHORIZED SOFTWARE / WHITELISTING
This is whitelisting. Deny everything except for what is required to be used on the system. The opposite of CM-7(4).
CM-9: CONFIGURATION MANAGEMENT PLAN
A configuration management plan for the system is created and implemented. This plan will address roles/responsibilities/configuration management processes and procedures, establishes process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items, and defines config items for the info system and places configuration items under the config plan. Also protects the configuration management plan from unauthorized disclosure and modification.
CM-8(5): NO DUPLICATE ACCOUNTING OF COMPONENTS
All components are verified within the authorization boundary of the info system to ensure that none are duplicated in other info system component inventories.
CM-8(3): AUTOMATED UNAUTHORIZED COMPONENT DETECTION
Automated mechanisms are in place to detect unauthorized components and take action upon unauthorized components.
CM-5: ACCESS RESTRICTIONS FOR CHANGE
Organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. Basically, it's exactly how the control sounds: they restrict who can do what regarding changes.
CM-2: BASELINE CONFIGURATION
Organization develops, documents, and maintains under config control, a current baseline configuration of the information system. Baseline configurations are documented, formally reviewed, and agreed-upon sets of specifications for info systems or configuration items within those systems.
CM-4(1): SEPARATE TEST ENVIRONMENTS
Organization has a separate test environment that is used to test for flaws, weaknesses, incompatibility, or intentional malice before implementation in an operational environment.
CM-3(2): TEST / VALIDATE / DOCUMENT CHANGES
Organization tests, validates, and documents changes to the info system before implementing said changes.
CM-2(3): RETENTION OF PREVIOUS CONFIGURATIONS
Previous configurations are retained to support rollback.
CM-7(2): PREVENT PROGRAM EXECUTION
Program execution is prevented in accordance with certain policies. Rules are established authorizing the terms and conditions of software program usage.
CM-11: USER-INSTALLED SOFTWARE
Rules are established regarding user-installed software. Software installation policies are enforced, and policy compliance is monitored at a certain frequency.
CM-7(1): PERIODIC REVIEW
System is reviewed for unnecessary permissions, and unnecessary permissions are disabled.
CM-2(7): CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS
The organization issues defined systems with certain configurations to individuals traveling to locations that the organization deems to be of high risk. Security safeguards are then applied to said devices upon return.
CM-10: SOFTWARE USAGE RESTRICTIONS
The organization uses software and associated documentation in accordance with contract agreements and copyright laws. Use of software is tracked and associated documentation is protected by quantity licenses to control copying and distribution. Peer-to-peer file sharing technology is controlled and documented to ensure that this capability is not used for the unauthorized distribution of copyrighted work.
CM-2(6): DEVELOPMENT AND TEST ENVIRONMENTS
Baseline configuration for info system development and test systems are maintained, also it is managed separately from the operational baseline configuration.
CM-2(1): REVIEWS AND UPDATES
Baseline configuration is reviewed and updated.
CM-5(2): REVIEW SYSTEM CHANGES
Changes are reviewed by the organization to determine if any unauthorized changes have occurred.
CM-4: SECURITY IMPACT ANALYSIS
Changes to the info system are analyzed to determine potential security impacts prior to change implementation.
CM-6: CONFIGURATION SETTINGS
Configuration settings are established and documented for info tech products employed within the info system using organization-defined checklists that reflect the most restrict mode consistent with operational requirements. Said configurations are implemented, and the organization identifies, documents, and approves any deviations from established configuration settings. Changes to configuration settings are monitored and controlled in accordance with organizational policies and procedures.
CM-3: CONFIGURATION CHANGE CONTROL
Determines types of changes to info system that are configuration-controlled. Reviews proposed configuration-controlled changes to the info system and approves or disapproves such changes with explicit consideration for security impact analyses. Documents said change decisions, and implements said changes. Retains records of configuration controlled changes to the info system for a certain period of time. This whole thing includes only changes that involve systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system updates and modifications. THIS IS ONLY CHANGES TO BASELINE CONFIGURATIONS, AS IT ONLY APPLIES TO THIS FAMILY OF CONTROLS.
CM-1: CONFIGURATION MANAGEMENT POLICY AND PROCEDURES
General overview control.
CM-7(4): UNAUTHORIZED SOFTWARE / BLACKLISTING
Identifies organization-defined software programs not authorized to execute on the info system and employs an allow-all or deny-by-exception policy to prohibit the execution of unauthorized software programs on the info system. Reviews and updates the list of unauthorized software programs regularly.
CM-7: LEAST FUNCTIONALITY
Info system is configured to provide only essential capabilities. Prohibits or restricts the use of certain functions, ports, protocols, and/or services.
CM-8: INFORAMTION SYSTEM COMPONENT INVENTORY
Inventory of info system components is developed and documented that accurately reflects the current info system, includes all components within the authorization boundary of the info system, is at the level of granularity deemed necessary for tracking and reporting, and includes organization-defined information deemed necessary to achieve effective information system component accountability. Inventory is also reviewed and updated regularly.
CM-8(1): UPDATES DURING INSTALLATIONS / REMOVALS
Inventory of information system components is updated as an integral part of component installations, removals, and info system updates
