CM-06-727 Configuration Settings

Configuration Settings

CM-06-727
Configuration Settings
Configuration Management
LOW, MOD, HIGH
P1
Yes
January 20, 2018

The Center for Internet Security (CIS) Benchmarks Level I standards shall be the baseline set of configuration settings for all Agency-owned information resources, when available.

Changes to the production environment are not operating as expected disrupt the production environment.
The organization: a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b. Implements the configuration settings; c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
The organization maintains a baseline of configuration settings.
The state organization: • establishes mandatory configuration settings for information technology products employed within the information system; • configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; • documents the configuration settings; and • enforces the configuration settings in all components of the information system.
Obtain configuration management policy; procedures addressing configuration settings for the information system; information system configuration settings and associated documentation; NIST Special Publication 800-70; other relevant documents or records and ascertain if: (I)the organization establishes mandatory configuration settings for information technology products employed within the information system. (ii)the organization configures the security settings of information technology products to the most restrictive mode consistent with operational requirements. (iii)the organization documents the configuration settings. (iv)the organization enforces the configuration settings in all components of the information system.