CM-12 Information Location
a. Identify and document the location of cm-12_odp and the specific system components on which the information is processed and stored;
b. Identify and document the users who have access to the system and system components where the information is processed and stored; and
c. Document changes to the location (i.e., system or system components) where the information is processed and stored.
Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17).
- FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
- SP 800-60-1 Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1.
- SP 800-60-2 Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1.
Control Enhancements 1
Related controls 16
- AC-02 Account Management L M H P
- AC-03 Access Enforcement L M H P
- AC-04 Information Flow Enforcement L M H P
- AC-06 Least Privilege L M H P
- AC-23 Data Mining Protection L M H P
- CM-08 System Component Inventory L M H P
- PM-05 System Inventory L M H P
- RA-02 Security Categorization L M H P
- SA-04 Acquisition Process L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SA-17 Developer Security and Privacy Architecture and Design L M H P
- SC-04 Information in Shared System Resources L M H P
- SC-16 Transmission of Security and Privacy Attributes L M H P
- SC-28 Protection of Information at Rest L M H P
- SI-04 System Monitoring L M H P
- SI-07 Software, Firmware, and Information Integrity L M H P