|
CM-01
|
Policy and Procedures |
|
|
|
|
|
CM-02
|
Baseline Configuration |
|
|
|
|
|
CM-02(01)
|
Reviews and Updates |
Incorporated into
CM-2.
|
|
CM-02(02)
|
Automation Support for Accuracy and Currency |
|
|
|
|
|
CM-02(03)
|
Retention of Previous Configurations |
|
|
|
|
|
CM-02(04)
|
Unauthorized Software |
Incorporated into
CM-7.4.
|
|
CM-02(05)
|
Authorized Software |
Incorporated into
CM-7.5.
|
|
CM-02(06)
|
Development and Test Environments |
|
|
|
|
|
CM-02(07)
|
Configure Systems and Components for High-risk Areas |
|
|
|
|
|
CM-03
|
Configuration Change Control |
|
|
|
|
|
CM-03(01)
|
Automated Documentation, Notification, and Prohibition of Changes |
|
|
|
|
|
CM-03(02)
|
Testing, Validation, and Documentation of Changes |
|
|
|
|
|
CM-03(03)
|
Automated Change Implementation |
|
|
|
|
|
CM-03(04)
|
Security and Privacy Representatives |
|
|
|
|
|
CM-03(05)
|
Automated Security Response |
|
|
|
|
|
CM-03(06)
|
Cryptography Management |
|
|
|
|
|
CM-03(07)
|
Review System Changes |
|
|
|
|
|
CM-03(08)
|
Prevent or Restrict Configuration Changes |
|
|
|
|
|
CM-04
|
Impact Analyses |
|
|
|
|
|
CM-04(01)
|
Separate Test Environments |
|
|
|
|
|
CM-04(02)
|
Verification of Controls |
|
|
|
|
|
CM-05
|
Access Restrictions for Change |
|
|
|
|
|
CM-05(01)
|
Automated Access Enforcement and Audit Records |
|
|
|
|
|
CM-05(02)
|
Review System Changes |
Incorporated into
CM-3.7.
|
|
CM-05(03)
|
Signed Components |
Moved to
CM-14.
|
|
CM-05(04)
|
Dual Authorization |
|
|
|
|
|
CM-05(05)
|
Privilege Limitation for Production and Operation |
|
|
|
|
|
CM-05(06)
|
Limit Library Privileges |
|
|
|
|
|
CM-05(07)
|
Automatic Implementation of Security Safeguards |
Incorporated into
SI-7.
|
|
CM-06
|
Configuration Settings |
|
|
|
|
|
CM-06(01)
|
Automated Management, Application, and Verification |
|
|
|
|
|
CM-06(02)
|
Respond to Unauthorized Changes |
|
|
|
|
|
CM-06(03)
|
Unauthorized Change Detection |
Incorporated into
SI-7.
|
|
CM-06(04)
|
Conformance Demonstration |
Incorporated into
CM-4.
|
|
CM-07
|
Least Functionality |
|
|
|
|
|
CM-07(01)
|
Periodic Review |
|
|
|
|
|
CM-07(02)
|
Prevent Program Execution |
|
|
|
|
|
CM-07(03)
|
Registration Compliance |
|
|
|
|
|
CM-07(04)
|
Unauthorized Software — Deny-by-exception |
|
|
|
|
|
CM-07(05)
|
Authorized Software — Allow-by-exception |
|
|
|
|
|
CM-07(06)
|
Confined Environments with Limited Privileges |
|
|
|
|
|
CM-07(07)
|
Code Execution in Protected Environments |
|
|
|
|
|
CM-07(08)
|
Binary or Machine Executable Code |
|
|
|
|
|
CM-07(09)
|
Prohibiting The Use of Unauthorized Hardware |
|
|
|
|
|
CM-08
|
System Component Inventory |
|
|
|
|
|
CM-08(01)
|
Updates During Installation and Removal |
|
|
|
|
|
CM-08(02)
|
Automated Maintenance |
|
|
|
|
|
CM-08(03)
|
Automated Unauthorized Component Detection |
|
|
|
|
|
CM-08(04)
|
Accountability Information |
|
|
|
|
|
CM-08(05)
|
No Duplicate Accounting of Components |
Incorporated into
CM-8.
|
|
CM-08(06)
|
Assessed Configurations and Approved Deviations |
|
|
|
|
|
CM-08(07)
|
Centralized Repository |
|
|
|
|
|
CM-08(08)
|
Automated Location Tracking |
|
|
|
|
|
CM-08(09)
|
Assignment of Components to Systems |
|
|
|
|
|
CM-09
|
Configuration Management Plan |
|
|
|
|
|
CM-09(01)
|
Assignment of Responsibility |
|
|
|
|
|
CM-10
|
Software Usage Restrictions |
|
|
|
|
|
CM-10(01)
|
Open-source Software |
|
|
|
|
|
CM-11
|
User-installed Software |
|
|
|
|
|
CM-11(01)
|
Alerts for Unauthorized Installations |
Incorporated into
CM-8.3.
|
|
CM-11(02)
|
Software Installation with Privileged Status |
|
|
|
|
|
CM-11(03)
|
Automated Enforcement and Monitoring |
|
|
|
|
|
CM-12
|
Information Location |
|
|
|
|
|
CM-12(01)
|
Automated Tools to Support Information Location |
|
|
|
|
|
CM-13
|
Data Action Mapping |
|
|
|
|
|
CM-14
|
Signed Components |
|
|
|
|