CM-01 Policy and Procedures
a. Develop, document, and disseminate to cm-1_prm_1:
1. cm-01_odp.03 configuration management policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;
b. Designate an cm-01_odp.04 to manage the development, documentation, and dissemination of the configuration management policy and procedures; and
c. Review and update the current configuration management:
1. Policy cm-01_odp.05 and following cm-01_odp.06 ; and
2. Procedures cm-01_odp.07 and following cm-01_odp.08.
|cm-1_prm_1||organization-defined personnel or roles|
|cm-01_odp.01||personnel or roles|
|cm-01_odp.02||personnel or roles|
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- SP 800-12 Nieles M, Pillitteri VY, Dempsey KL (2017) An Introduction to Information Security. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-12, Rev. 1.
- SP 800-30 Joint Task Force Transformation Initiative (2012) Guide for Conducting Risk Assessments. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-30, Rev. 1.
- SP 800-39 Joint Task Force Transformation Initiative (2011) Managing Information Security Risk: Organization, Mission, and Information System View. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-39.
- SP 800-100 Bowen P, Hash J, Wilson M (2006) Information Security Handbook: A Guide for Managers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-100, Includes updates as of March 7, 2007.
Related controls 4
- PM-09 Risk Management Strategy L M H P
- PS-08 Personnel Sanctions L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SI-12 Information Management and Retention L M H P