Authorizes internal connections of [Assignment: organization-defined information system components or classes of components] to the information system; and
Documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated.
Supplemental Guidance: This control applies to connections between organizational information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. Instead of authorizing each individual internal connection, organizations can authorize internal connections for a class of components with common characteristics and/or configurations, for example, all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability or all smart phones with a specific baseline configuration. Related controls: AC-3, AC-4, AC-18, AC-19, AU-2, AU-12, CA-7, CM-2, IA-3, SC-7, SI-4.
Control Enhancements:
internal system connections | security compliance checks
The information system performs security compliance checks on constituent system components prior to the establishment of the internal connection.
Supplemental Guidance: Security compliance checks may include, for example, verification of the relevant baseline configuration. Related controls: CM-6.
References: None.
Priority and Baseline Allocation:
P2
LOW CA-9
MOD CA-9
HIGH CA-9
FAMILY: CONFIGURATION MANAGEMENT
CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES
Control: The organization:
Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
Reviews and updates the current:
Configuration management policy [Assignment: organization-defined frequency]; and
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the CM family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100.
Priority and Baseline Allocation:
P1
LOW CM-1
MOD CM-1
HIGH CM-1
CM-2 BASELINE CONFIGURATION
Control: The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
Supplemental Guidance: This control establishes baseline configurations for information systems and system components including communications and connectivity-related aspects of systems. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. Maintaining baseline configurations requires creating new baselines as organizational information systems change over time. Baseline configurations of information systems reflect the current enterprise architecture. Related controls: CM-3, CM-6, CM-8, CM-9, SA-10, PM-5, PM-7.
Control Enhancements:
baseline configuration | reviews and updates
The organization reviews and updates the baseline configuration of the information system:
[Assignment: organization-defined frequency];
When required due to [Assignment organization-defined circumstances]; and
As an integral part of information system component installations and upgrades.
Supplemental Guidance: Related control: CM-5.
baseline configuration | automation support for accuracy / currency
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
Supplemental Guidance: Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities. Related controls: CM-7, RA-5.
baseline configuration | retention of previous configurations
The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback.
Supplemental Guidance: Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records.
baseline configuration | unauthorized software
[Withdrawn: Incorporated into CM-7].
baseline configuration | authorized software
[Withdrawn: Incorporated into CM-7].
baseline configuration | development and test environments
The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.
Supplemental Guidance: Establishing separate baseline configurations for development, testing, and operational environments helps protect information systems from unplanned/unexpected events related to development and testing activities. Separate baseline configurations allow organizations to apply the configuration management that is most appropriate for each type of configuration. For example, management of operational configurations typically emphasizes the need for stability, while management of development/test configurations requires greater flexibility. Configurations in the test environment mirror the configurations in the operational environment to the extent practicable so that the results of the testing are representative of the proposed changes to the operational systems. This control enhancement requires separate configurations but not necessarily separate physical environments. Related controls: CM-4, SC-3, SC-7.
baseline configuration | configure systems, components, or devices for high-risk areas
The organization:
Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return.
Supplemental Guidance: When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family.
