CM-06 Configuration Settings
a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using cm-06_odp.01;
b. Implement the configuration settings;
c. Identify, document, and approve any deviations from established configuration settings for cm-06_odp.02 based on cm-06_odp.03 ; and
d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
|cm-06_odp.01||common secure configurations|
Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.
Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.
Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline [USGCB](#98498928-3ca3-44b3-8b1e-f48685373087) and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7 . The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.
- SP 800-70 Quinn SD, Souppaya MP, Cook MR, Scarfone KA (2018) National Checklist Program for IT Products: Guidelines for Checklist Users and Developers. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-70, Rev. 4.
- SP 800-126 Waltermire DA, Quinn SD, Booth H, III, Scarfone KA, Prisaca D (2018) The Technical Specification for the Security Content Automation Protocol (SCAP): SCAP Version 1.3. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-126, Rev. 3.
- SP 800-128 Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019.
- USGCB National Institute of Standards and Technology (2020) *United States Government Configuration Baseline* . Available at
- NCPR National Institute of Standards and Technology (2020) *National Checklist Program Repository* . Available at
- DOD STIG Defense Information Systems Agency, *Security Technical Implementation Guides (STIG)*.
Control Enhancements 4
- CM-06(01) Automated Management, Application, and Verification L M H P
- CM-06(02) Respond to Unauthorized Changes L M H P
- CM-06(03) Unauthorized Change Detection
- CM-06(04) Conformance Demonstration
Related controls 28
- AC-03 Access Enforcement L M H P
- AC-19 Access Control for Mobile Devices L M H P
- AU-02 Event Logging L M H P
- AU-06 Audit Record Review, Analysis, and Reporting L M H P
- CA-09 Internal System Connections L M H P
- CM-02 Baseline Configuration L M H P
- CM-03 Configuration Change Control L M H P
- CM-05 Access Restrictions for Change L M H P
- CM-07 Least Functionality L M H P
- CM-11 User-installed Software L M H P
- CP-07 Alternate Processing Site L M H P
- CP-09 System Backup L M H P
- CP-10 System Recovery and Reconstitution L M H P
- IA-03 Device Identification and Authentication L M H P
- IA-05 Authenticator Management L M H P
- PL-08 Security and Privacy Architectures L M H P
- PL-09 Central Management L M H P
- RA-05 Vulnerability Monitoring and Scanning L M H P
- SA-04 Acquisition Process L M H P
- SA-05 System Documentation L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SA-09 External System Services L M H P
- SC-18 Mobile Code L M H P
- SC-28 Protection of Information at Rest L M H P
- SC-43 Usage Restrictions L M H P
- SI-02 Flaw Remediation L M H P
- SI-04 System Monitoring L M H P
- SI-06 Security and Privacy Function Verification L M H P