ARTIFACTS

CM: CONFIGURATION MANAGEMENT

What's On This Page

Each control family has a page dedicated to presenting all of the artifacts associated with the controls and control enhancements in that family. This is a consolidated view of the artifacts organized in a way to make the information usable. From here you can navigate to the individual control pages where the artifacts associated with each control or control enhancement are displayed with the control. You can use the Links Panels to select the individual controls or control enhancements you want to work with.

Supplement the artifacts here with other relevent documents and records dictated by your risk-based cybersecurity program and your information supply chain requirements.

The Source of the Artifacts

The control information comes from NIST Special Publication 800-53R4, Security and Privacy Controls for Information Systems and Organizationsand Special Publication and NIST Special Publication 800-53AR4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans. We've normalized the artifact names and annotated them with information useful in understanding these artifacts in the context of your digital enterprise, information supply chain, and security architecture.

Essential Artifacts for Risk-Based Cybersecurity Programs

This section includes core documents for risk-based cybersecurity; the POLICY & PROCEDURES document for Configuration Management (CM); and documents that are widely used in the assessment of controls and control enhancements in the Configuration Management (CM) family. Policy and Procedure documents from control families are in CAPS and identified with their two letter code.

CORE ARTIFACTS
WIDELY USED ARTIFACTS FOR CONFIGURATION MANAGEMENT (CM)
CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM)
Configuration Management policies and procedures
Information system design documentation
Information system configuration settings and associated documentation
Information system audit records
Security Authorization Package Documents:
  • Security Plan
  • Security Assessment
  • Plan of Action and Milestones (POA&M)
ESSENTIALS
ACCESS CONTROL POLICY & PROCEDURES (AC)
Asset Inventory
AUDIT & ACCOUNTABILITY POLICY & PROCEDURES (AU)
Configuration Management Plan
CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM)
Contingency Plan

  • Plans related to a comprehensive Contingency Plan:
    • Business Continuity Plans
    • Disaster Recovery Plans
    • Continuity of Operations Plans
    • Crisis Communications Plans
    • Critical Infrastructure Plans
    • Cyber Incident Response Plans
    • Insider Threat Implementation Plan
    • Occupant Emergency Plans
CONTINGENCY PLANNING POLICY & PROCEDURES (CP)
Continuous Monitoring Strategy
Continuous Monitoring Plan
Enterprise Architecture (EA)
IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES (IA)
INCIDENT RESPONSE POLICY & PROCEDURES (IR)
INFORMATION SECURITY PROGRAM PLAN (PM)
MEDIA PROTECTION POLICY & PROCEDURES (MP)
PERSONNEL SECURITY POLICY & PROCEDURES (PS)
PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY & PROCEDURES (PE)
Privacy Impact Assessment
Privacy Program Plan
Risk Assessment
RISK ASSESSMENT POLICY & PROCEDURES (RA)
SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES (CA)
SECURITY AWARENESS AND TRAINING POLICY & PROCEDURES (AT)
Security Configurations
SECURITY PLANNING POLICY & PROCEDURES (PL)
SYSTEM AND COMMUNICATIONS PROTECTION POLICY & PROCEDURES (SC)
SYSTEM AND INFORMATION INTEGRITY POLICY & PROCEDURES (SI)
SYSTEM AND SERVICES ACQUISITION POLICY & PROCEDURES (SA)
System Interconnection Agreements
SYSTEM MAINTENANCE POLICY & PROCEDURES (MA)

Policy & Procedures

Here you'll find a catalog of Configuration Management (CM) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.

POLICES & PROCEDURES APPLICABLE
CONTROL(S)
Configuration management policy and procedures CM-1
Procedures addressing access restrictions for changes to the information system CM-5
CM-5 (1)
CM-5 (2)
CM-5 (3)
CM-5 (4)
CM-5 (5)
CM-5 (6)
Procedures addressing configuration management planning CM-9
Procedures addressing configuration settings for the information system CM-6
CM-6 (1)
CM-6 (2)
Procedures addressing information system component installations and upgrades CM-2 (1)
CM-2 (7)
Procedures addressing information system component inventory CM-8
CM-8 (1)
CM-8 (2)
CM-8 (3)
CM-8 (4)
CM-8 (5)
CM-8 (6)
CM-8 (7)
CM-8 (8)
CM-8 (9)
Procedures addressing information system configuration change control CM-3
CM-3 (1)
CM-3 (2)
CM-3 (3)
CM-3 (4)
CM-3 (5)
CM-3 (6)
Procedures addressing least functionality in the information system CM-7
CM-7 (1)
CM-7 (2)
CM-7 (3)
CM-7 (4)
CM-7 (5)
Procedures addressing responsibilities for configuration management process development CM-9 (1)
Procedures addressing restrictions on use of open source software CM-10 (1)
Procedures addressing security impact analysis for changes to the information system CM-4
CM-4 (1)
CM-4 (2)
Procedures addressing software usage restrictions CM-10
Procedures addressing the baseline configuration of the information system CM-2
CM-2 (1)
CM-2 (2)
CM-2 (3)
CM-2 (6)
Procedures addressing the baseline configuration of the information system CM-2 (7)
Procedures addressing user installed software CM-11
CM-11 (1)
CM-11 (2)

Evidence, Records & Artifacts

Here you'll find a catalog of Configuration Management (CM) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.

ARTIFACT APPLICABLE
CONTROL(S)
Access credentials CM-5
Acknowledgements of information system component assignments CM-8 (9)
Agenda /minutes from configuration change control oversight meetings CM-3
Alerts/notifications of unauthorized baseline configuration changes CM-3 (5)
Alerts/notifications of unauthorized changes to information system configuration settings CM-6 (2)
Alerts/notifications of unauthorized components within the information system CM-8 (3)
Alerts/notifications of unauthorized software installations CM-11 (2)
Analysis tools and associated outputs CM-4
CM-4 (2)
Analysis tools and associated outputs information system design documentation CM-4 (1)
Audit and compliance reviews CM-7 (3)
Audit and review reports CM-5 (2)
Automated configuration control mechanisms CM-3 (1)
CM-3 (3)
Change approval requests CM-3 (1)
Change approvals CM-3 (1)
Change control audit and review reports CM-3
Change control records CM-2
CM-2 (1)
CM-2 (7)
CM-3
CM-3 (1)
CM-3 (2)
CM-3 (3)
CM-4
CM-4 (1)
CM-4 (2)
CM-5
CM-5 (1)
CM-5 (2)
CM-5 (3)
CM-5 (4)
CM-5 (5)
CM-5 (6)
CM-6
CM-6 (1)
CM-6 (2)
CM-7 (1)
CM-7 (2)
CM-7 (4)
CM-7 (5)
CM-8 (2)
CM-8 (3
Component installation records CM-8 (1)
Component removal records CM-8 (1)
Configuration change control records CM-2 (2)
Continuous monitoring strategy CM-11
Copies of previous baseline configuration versions CM-2 (3)
Documentation evidence of separate test and operational environments CM-4 (1)
Documented responses to unauthorized changes to information system configuration settings CM-6 (2)
Documented reviews of functions, ports, protocols, and/or services CM-7 (1)
Enterprise architecture documentation CM-2
Evidence supporting approved deviations from established configuration settings CM-6
Information system component installations/upgrades and associated records CM-2 (1)
Information system component installations/upgrades and associated records CM-2 (7)
Information system inventory records CM-8
CM-8 (1)
CM-8 (2)
CM-8 (3)
CM-8 (4)
CM-8 (5)
CM-8 (6)
CM-8 (7)
CM-8 (8)
CM-8 (9)
Information system inventory repository CM-8 (7)
Information system maintenance records CM-8 (2)
Information system monitoring records CM-8 (3)
CM-11
Inventory reviews and update records CM-8
CM-8 (1)
Logical access approvals CM-5
Physical access approvals CM-5
Records of information system baseline configuration reviews and updates CM-2 (1)
CM-2 (7)
Review and update records associated with list of authorized software programs CM-7 (5)
Review and update records associated with list of unauthorized software programs CM-7 (4)
Reviews of information system changes CM-5 (2)
Security impact analysis documentation CM-4
CM-4 (1)
CM-4 (2)
Site license documentation CM-10
Software contract agreements and copyright laws CM-10
Software license tracking reports CM-10
Specifications for preventing software program execution CM-7 (2)
Test records CM-3 (2)
User privilege recertifications CM-5 (5)
User privilege reviews CM-5 (5)
Validation records CM-3 (2)

Configuration Management Related Lists

These are the Configuration Management (CM) related lists you may need to support your security program. For the lists applicable to your systems and informations supply chain you should know the source of the list and the data it contains; how the lists are generated, where they are stored, and how they are maintained, and how to get the when you have an incident, an incident investigation or an audit.

LIST APPLICABLE
CONTROL(S)
List of rules governing user installed software CM-11
List of software and firmware components to be prohibited from installation without a recognized and approved certificate CM-5 (3)
List of software programs authorized to execute on the information system CM-7 (5)
List of software programs not authorized to execute on the information system CM-7 (4)
List of software usage restrictions CM-10
Security configuration checklists CM-6
CM-6 (1)
CM-7
CM-7 (1)
CM-7 (4)
CM-7 (5)
Go to The List of Lists