Information Technology Reference
In-Depth Information
Category/
Subcategory/
Element
Control
Reference
Control Summary
Interpretation
CM-2
Baseline
configuration
The organization develops,
documents, and maintains a
current baseline configuration of
the information system.
CM-3
Coniguration
change control
The organization authorizes,
documents, and controls changes
to the information system.
CM-4
Monitoring
configuration
changes
The organization monitors changes
to the information system
conducting security impact
analyses to determine the effects
of the changes.
CM-5
Access restrictions
for change
The organization: (i) approves
individual access privileges and
enforces physical and logical
access restrictions associated with
changes to the information
system; and (ii) generates, retains,
and reviews records reflecting all
such changes.
CM-6
Coniguration
settings
The organization: (i) establishes
mandatory configuration settings
for information technology
products employed within the
information system; (ii) configures
the security settings of
information technology products
to the most restrictive mode
consistent with operational
requirements; (iii) documents the
configuration settings; and (iv)
enforces the configuration
settings in all components of the
information system.
CM-7
Least functionality
The organization configures the
information system to provide
only essential capabilities and
specifically prohibits or restricts
the use of the following functions,
ports, protocols, and/or services:
[assignment: organization-
defined list of prohibited and
restricted functions, ports,
protocols, and services].
