|CM-2 (1) Reviews And Updates ||MODERATE |
The organization reviews and updates the baseline configuration of the information system: CM-2 (1)(a)
Assignment: organization-defined frequency; CM-2 (1)(b)
When required due to Assignment organization-defined circumstances; and CM-2 (1)(c)
As an integral part of information system component installations and upgrades.
|CM-2 (2) Automation Support For Accuracy / Currency ||HIGH |
Automated mechanisms that help organizations maintain consistent baseline configurations for information systems include, for example, hardware and software inventory tools, configuration management tools, and network management tools. Such tools can be deployed and/or allocated as common controls, at the information system level, or at the operating system or component level (e.g., on workstations, servers, notebook computers, network components, or mobile devices). Tools can be used, for example, to track version numbers on operating system applications, types of software installed, and current patch levels. This control enhancement can be satisfied by the implementation of CM-8 (2) for organizations that choose to combine information system component inventory and baseline configuration activities.
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
|CM-2 (3) Retention Of Previous Configurations ||MODERATE |
Retaining previous versions of baseline configurations to support rollback may include, for example, hardware, software, firmware, configuration files, and configuration records.
The organization retains Assignment: organization-defined previous versions of baseline configurations of the information system to support rollback.
|CM-2 (4) Unauthorized Software || |
Withdrawn: Incorporated into CM-7.
|CM-2 (5) Authorized Software || |
Withdrawn: Incorporated into CM-7.
|CM-2 (6) Development And Test Environments || |
Establishing separate baseline configurations for development, testing, and operational environments helps protect information systems from unplanned/unexpected events related to development and testing activities. Separate baseline configurations allow organizations to apply the configuration management that is most appropriate for each type of configuration. For example, management of operational configurations typically emphasizes the need for stability, while management of development/test configurations requires greater flexibility. Configurations in the test environment mirror the configurations in the operational environment to the extent practicable so that the results of the testing are representative of the proposed changes to the operational systems. This control enhancement requires separate configurations but not necessarily separate physical environments.
The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.
|CM-2 (7) Configure Systems, Components, Or Devices For High-Risk Areas ||MODERATE |
When it is known that information systems, system components, or devices (e.g., notebook computers, mobile devices) will be located in high-risk areas, additional security controls may be implemented to counter the greater threat in such areas coupled with the lack of physical security relative to organizational-controlled areas. For example, organizational policies and procedures for notebook computers used by individuals departing on and returning from travel include, for example, determining which locations are of concern, defining required configurations for the devices, ensuring that the devices are configured as intended before travel is initiated, and applying specific safeguards to the device after travel is completed. Specially configured notebook computers include, for example, computers with sanitized hard drives, limited applications, and additional hardening (e.g., more stringent configuration settings). Specified safeguards applied to mobile devices upon return from travel include, for example, examining the device for signs of physical tampering and purging/reimaging the hard disk drive. Protecting information residing on mobile devices is covered in the media protection family.
The organization: CM-2 (7)(a)
Issues Assignment: organization-defined information systems, system components, or devices with Assignment: organization-defined configurations to individuals traveling to locations that the organization deems to be of significant risk; and CM-2 (7)(b)
Applies Assignment: organization-defined security safeguards to the devices when the individuals return.