CM-06-727 Configuration Settings

Configuration Settings

Control ID

CM-06-727

Control Name

Configuration Settings

Control Category

Configuration Management

Functional Areas

Sub-Areas

NIST Baseline Level(s)

LOW, MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

January 20, 2018

Agency Implementation

The Center for Internet Security (CIS) Benchmarks Level I standards shall be the baseline set of configuration settings for all Agency-owned information resources, when available.

Risk Statement

Changes to the production environment are not operating as expected disrupt the production environment.

Control Description

The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

Control Example

The organization maintains a baseline of configuration settings.

State Implementation

The state organization: • establishes mandatory configuration settings for information technology products employed within the information system; • configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; • documents the configuration settings; and • enforces the configuration settings in all components of the information system.

Testing Procedures

Obtain configuration management policy; procedures addressing configuration settings for the information system; information system configuration settings and associated documentation; NIST Special Publication 800-70; other relevant documents or records and ascertain if: (I)the organization establishes mandatory configuration settings for information technology products employed within the information system. (ii)the organization configures the security settings of information technology products to the most restrictive mode consistent with operational requirements. (iii)the organization documents the configuration settings. (iv)the organization enforces the configuration settings in all components of the information system.