1. Home
  2. FedRAMP
  3. CM-6

BRACKETOLOGY | FEDRAMP

CM-6: CONFIGURATION SETTINGS

  • FedRAMP Baseline Membership CM-6:
  • LOW
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
    • b. Implements the configuration settings;
    • c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and
    • d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.
  • a. Establish and document configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements ; (See CM-6(a) Additional FedRAMP Requirements and Guidance)
  • b. Implement the configuration settings;
  • c. Identifies, documents, and approves any deviations from established configuration settings for organization-defined information system components based on organization-defined operational requirements; and
  • d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

FedRAMP REQUIREMENT:

  1. CM-6a.: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. If no recognized USGCB is available for the technology in use, the CSP should create their own baseline and include a justification statement as to how they came up with the baseline configuration settings.
  2. CM-6a.: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).

FedRAMP GUIDANCE:

Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc.

  • a. Establish and document configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements ; (See CM-6(a) Additional FedRAMP Requirements and Guidance)
  • b. Implement the configuration settings;
  • c. Identifies, documents, and approves any deviations from established configuration settings for organization-defined information system components based on organization-defined operational requirements; and
  • d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

FedRAMP REQUIREMENT:

  1. CM-6a.: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. If no recognized USGCB is available for the technology in use, the CSP should create their own baseline and include a justification statement as to how they came up with the baseline configuration settings.
  2. CM-6a.: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).

FedRAMP GUIDANCE:

Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc.

  • a. Establish and document configuration settings for information technology products employed within the information system using organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements ; (See CM-6(a) Additional FedRAMP Requirements and Guidance)
  • b. Implement the configuration settings;
  • c. Identifies, documents, and approves any deviations from established configuration settings for organization-defined information system components based on organization-defined operational requirements; and
  • d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

FedRAMP REQUIREMENT:

  1. CM-6a.: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available. If no recognized USGCB is available for the technology in use, the CSP should create their own baseline and include a justification statement as to how they came up with the baseline configuration settings.
  2. CM-6a.: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) (http://scap.nist.gov/) validated or SCAP compatible (if validated checklists are not available).

FedRAMP GUIDANCE:

Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc.

SUPPLEMENTAL GUIDANCE

"Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.

Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems."

RELATED CONTROLS: CM-6

CONTROL ENHANCEMENTS

CM-6 (1) CONFIGURATION SETTINGS | AUTOMATED CENTRAL MANAGEMENT / APPLICATION / VERIFICATION
  • FedRAMP Baseline Membership CM-6 (1):
  • MODERATE
  • HIGH

The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

There are no FedRAMP-specific requirements if this control is used for a HIGH Impact system.


Supplemental Guidance: NONE

RELATED CONTROLS: CM-6 (1)

CM-6 (2) CONFIGURATION SETTINGS | RESPOND TO UNAUTHORIZED CHANGES
  • FedRAMP Baseline Membership CM-6 (2):
  • HIGH

The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

There are no FedRAMP-specific requirements if this control is used for a HIGH Impact system.


Supplemental Guidance:

Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected information system processing.

RELATED CONTROLS: CM-6 (2)

CM-6 (3) CONFIGURATION SETTINGS | UNAUTHORIZED CHANGE DETECTION

[Withdrawn: Incorporated into SI-7].

CM-6 (4) CONFIGURATION SETTINGS | CONFORMANCE DEMONSTRATION

[Withdrawn: Incorporated into CM-4].

REFERENCES:

  • NIST Special Publication 800-128
  • NIST Special Publication 800-70
  • OMB Memorandum 07-11
  • OMB Memorandum 07-18
  • OMB Memorandum 08-22
  • http://checklists.nist.gov
  • http://nvd.nist.gov
  • http://www.nsa.gov