Configuration Management (CM)
Enforce dual authorization for implementing changes to [Assignment: organization-defined system components and system-level information].
Configuration Management (CM)
(a) Limit privileges to change system components and system-related information within a production or operational environment; and (b) Review and reevaluate privileges [Assignment: organization-defined frequency].
Configuration Management (CM)
Limit privileges to change software resident within software libraries.
Configuration Management (CM)
[Withdrawn: Moved to CM-14.]
Configuration Management (CM)
Level N/A
a. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [Assignment: organization-defined common secure configurations]; b. Implement the configuration settings; c. Identify, document, and approve any deviations from established configuration settings for [Assignment: organization-defined system components] based on [Assignment: organization-defined operational requirements]; and d. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
Configuration Management (CM)
Manage, apply, and verify configuration settings for [Assignment: organization-defined system components] using [Assignment: organization-defined automated mechanisms].
Configuration Management (CM)
Take the following actions in response to unauthorized changes to [Assignment: organization-defined configuration settings]: [Assignment: organization-defined actions].
Configuration Management (CM)
[Withdrawn: Incorporated into SI-7.]
Configuration Management (CM)
[Withdrawn: Incorporated into SI-7.]
Configuration Management (CM)
Level N/A
a. Configure the system to provide only [Assignment: organization-defined mission essential capabilities]; and b. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or services: [Assignment: organization-defined prohibited or restricted functions, system ports, protocols, software, and/or services].
