ARTIFACTS
CM: CONFIGURATION MANAGEMENT
What's On This Page
Each control family has a page dedicated to presenting all of the artifacts associated with the controls and control enhancements in that family. This is a consolidated view of the artifacts organized in a way to make the information usable. From here you can navigate to the individual control pages where the artifacts associated with each control or control enhancement are displayed with the control. You can use the Links Panels to select the individual controls or control enhancements you want to work with.
Supplement the artifacts here with other relevent documents and records dictated by your risk-based cybersecurity program and your information supply chain requirements.
The Source of the Artifacts
The control information comes from NIST Special Publication 800-53R4, Security and Privacy Controls for Information Systems and Organizationsand Special Publication and NIST Special Publication 800-53AR4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations Building Effective Assessment Plans. We've normalized the artifact names and annotated them with information useful in understanding these artifacts in the context of your digital enterprise, information supply chain, and security architecture.
Essential Artifacts for Risk-Based Cybersecurity Programs
This section includes core documents for risk-based cybersecurity; the POLICY & PROCEDURES document for Configuration Management (CM); and documents that are widely used in the assessment of controls and control enhancements in the Configuration Management (CM) family. Policy and Procedure documents from control families are in CAPS and identified with their two letter code.
| CORE ARTIFACTS |
| WIDELY USED ARTIFACTS FOR CONFIGURATION MANAGEMENT (CM) |
| CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM) |
| Configuration Management policies and procedures |
| Information system design documentation |
| Information system configuration settings and associated documentation |
| Information system audit records |
Security Authorization Package Documents:
|
| ESSENTIALS |
| ACCESS CONTROL POLICY & PROCEDURES (AC) |
| Asset Inventory |
| AUDIT & ACCOUNTABILITY POLICY & PROCEDURES (AU) | Configuration Management Plan |
| CONFIGURATION MANAGEMENT POLICY & PROCEDURES (CM) |
Contingency Plan
|
| CONTINGENCY PLANNING POLICY & PROCEDURES (CP) |
| Continuous Monitoring Strategy |
| Continuous Monitoring Plan |
| Enterprise Architecture (EA) |
| IDENTIFICATION & AUTHENTICATION POLICY & PROCEDURES (IA) |
| INCIDENT RESPONSE POLICY & PROCEDURES (IR) |
| INFORMATION SECURITY PROGRAM PLAN (PM) |
| MEDIA PROTECTION POLICY & PROCEDURES (MP) |
| PERSONNEL SECURITY POLICY & PROCEDURES (PS) |
| PHYSICAL AND ENVIRONMENTAL PROTECTION POLICY & PROCEDURES (PE) |
| Privacy Impact Assessment |
| Privacy Program Plan |
| Risk Assessment |
| RISK ASSESSMENT POLICY & PROCEDURES (RA) |
| SECURITY ASSESSMENT & AUTHORIZATION POLICY & PROCEDURES (CA) |
| SECURITY AWARENESS AND TRAINING POLICY & PROCEDURES (AT) |
| Security Configurations |
| SECURITY PLANNING POLICY & PROCEDURES (PL) |
| SYSTEM AND COMMUNICATIONS PROTECTION POLICY & PROCEDURES (SC) |
| SYSTEM AND INFORMATION INTEGRITY POLICY & PROCEDURES (SI) |
| SYSTEM AND SERVICES ACQUISITION POLICY & PROCEDURES (SA) |
| System Interconnection Agreements |
| SYSTEM MAINTENANCE POLICY & PROCEDURES (MA) |
Policy & Procedures
Here you'll find a catalog of Configuration Management (CM) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| POLICES & PROCEDURES | APPLICABLE CONTROL(S) |
| Configuration management policy and procedures | CM-1 |
| Procedures addressing access restrictions for changes to the information system | CM-5 CM-5 (1) CM-5 (2) CM-5 (3) CM-5 (4) CM-5 (5) CM-5 (6) |
| Procedures addressing configuration management planning | CM-9 |
| Procedures addressing configuration settings for the information system | CM-6 CM-6 (1) CM-6 (2) |
| Procedures addressing information system component installations and upgrades | CM-2 (1) CM-2 (7) |
| Procedures addressing information system component inventory | CM-8 CM-8 (1) CM-8 (2) CM-8 (3) CM-8 (4) CM-8 (5) CM-8 (6) CM-8 (7) CM-8 (8) CM-8 (9) |
| Procedures addressing information system configuration change control | CM-3 CM-3 (1) CM-3 (2) CM-3 (3) CM-3 (4) CM-3 (5) CM-3 (6) |
| Procedures addressing least functionality in the information system | CM-7 CM-7 (1) CM-7 (2) CM-7 (3) CM-7 (4) CM-7 (5) |
| Procedures addressing responsibilities for configuration management process development | CM-9 (1) |
| Procedures addressing restrictions on use of open source software | CM-10 (1) |
| Procedures addressing security impact analysis for changes to the information system | CM-4 CM-4 (1) CM-4 (2) |
| Procedures addressing software usage restrictions | CM-10 |
| Procedures addressing the baseline configuration of the information system | CM-2 CM-2 (1) CM-2 (2) CM-2 (3) CM-2 (6) |
| Procedures addressing the baseline configuration of the information system | CM-2 (7) |
| Procedures addressing user installed software | CM-11 CM-11 (1) CM-11 (2) |
Evidence, Records & Artifacts
Here you'll find a catalog of Configuration Management (CM) related policies and procedures for managing access to your digital enterprise and information supply chain. Select those that enable your risk-based cybersecurity program.
| ARTIFACT | APPLICABLE CONTROL(S) |
| Access credentials | CM-5 |
| Acknowledgements of information system component assignments | CM-8 (9) |
| Agenda /minutes from configuration change control oversight meetings | CM-3 |
| Alerts/notifications of unauthorized baseline configuration changes | CM-3 (5) |
| Alerts/notifications of unauthorized changes to information system configuration settings | CM-6 (2) |
| Alerts/notifications of unauthorized components within the information system | CM-8 (3) |
| Alerts/notifications of unauthorized software installations | CM-11 (2) |
| Analysis tools and associated outputs | CM-4 CM-4 (2) |
| Analysis tools and associated outputs information system design documentation | CM-4 (1) |
| Audit and compliance reviews | CM-7 (3) |
| Audit and review reports | CM-5 (2) |
| Automated configuration control mechanisms | CM-3 (1) CM-3 (3) |
| Change approval requests | CM-3 (1) |
| Change approvals | CM-3 (1) |
| Change control audit and review reports | CM-3 |
| Change control records | CM-2 CM-2 (1) CM-2 (7) CM-3 CM-3 (1) CM-3 (2) CM-3 (3) CM-4 CM-4 (1) CM-4 (2) CM-5 CM-5 (1) CM-5 (2) CM-5 (3) CM-5 (4) CM-5 (5) CM-5 (6) CM-6 CM-6 (1) CM-6 (2) CM-7 (1) CM-7 (2) CM-7 (4) CM-7 (5) CM-8 (2) CM-8 (3 |
| Component installation records | CM-8 (1) |
| Component removal records | CM-8 (1) |
| Configuration change control records | CM-2 (2) |
| Continuous monitoring strategy | CM-11 |
| Copies of previous baseline configuration versions | CM-2 (3) |
| Documentation evidence of separate test and operational environments | CM-4 (1) |
| Documented responses to unauthorized changes to information system configuration settings | CM-6 (2) |
| Documented reviews of functions, ports, protocols, and/or services | CM-7 (1) |
| Enterprise architecture documentation | CM-2 |
| Evidence supporting approved deviations from established configuration settings | CM-6 |
| Information system component installations/upgrades and associated records | CM-2 (1) |
| Information system component installations/upgrades and associated records | CM-2 (7) |
| Information system inventory records | CM-8 CM-8 (1) CM-8 (2) CM-8 (3) CM-8 (4) CM-8 (5) CM-8 (6) CM-8 (7) CM-8 (8) CM-8 (9) |
| Information system inventory repository | CM-8 (7) |
| Information system maintenance records | CM-8 (2) |
| Information system monitoring records | CM-8 (3) CM-11 |
| Inventory reviews and update records | CM-8 CM-8 (1) |
| Logical access approvals | CM-5 |
| Physical access approvals | CM-5 |
| Records of information system baseline configuration reviews and updates | CM-2 (1) CM-2 (7) |
| Review and update records associated with list of authorized software programs | CM-7 (5) |
| Review and update records associated with list of unauthorized software programs | CM-7 (4) |
| Reviews of information system changes | CM-5 (2) |
| Security impact analysis documentation | CM-4 CM-4 (1) CM-4 (2) |
| Site license documentation | CM-10 |
| Software contract agreements and copyright laws | CM-10 |
| Software license tracking reports | CM-10 |
| Specifications for preventing software program execution | CM-7 (2) |
| Test records | CM-3 (2) |
| User privilege recertifications | CM-5 (5) |
| User privilege reviews | CM-5 (5) |
| Validation records | CM-3 (2) |
Configuration Management Related Lists
These are the Configuration Management (CM) related lists you may need to support your security program. For the lists applicable to your systems and informations supply chain you should know the source of the list and the data it contains; how the lists are generated, where they are stored, and how they are maintained, and how to get the when you have an incident, an incident investigation or an audit.
| LIST | APPLICABLE CONTROL(S) |
| List of rules governing user installed software | CM-11 |
| List of software and firmware components to be prohibited from installation without a recognized and approved certificate | CM-5 (3) |
| List of software programs authorized to execute on the information system | CM-7 (5) |
| List of software programs not authorized to execute on the information system | CM-7 (4) |
| List of software usage restrictions | CM-10 |
| Security configuration checklists | CM-6 CM-6 (1) CM-7 CM-7 (1) CM-7 (4) CM-7 (5) |