CM-6

CM-6 CONFIGURATION SETTINGS

Overview

Number	Title	Impact	Priority	Subject Area
CM-6	Configuration Settings	LOW	P1	Configuration Management

Instructions
The organization: CM-6a. Establishes and documents configuration settings for information technology products employed within the information system using Assignment: organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements; CM-6b. Implements the configuration settings; CM-6c. Identifies, documents, and approves any deviations from established configuration settings for Assignment: organization-defined information system components based on Assignment: organization-defined operational requirements; and CM-6d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

Instructions

The organization:

CM-6a.

Establishes and documents configuration settings for information technology products employed within the information system using Assignment: organization-defined security configuration checklists that reflect the most restrictive mode consistent with operational requirements;

CM-6b.

Implements the configuration settings;

CM-6c.

Identifies, documents, and approves any deviations from established configuration settings for Assignment: organization-defined information system components based on Assignment: organization-defined operational requirements; and

CM-6d.

Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

Guidance
Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline. Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems.

Guidance

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security-related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.
Common secure configurations (also referred to as security configuration checklists, lockdown and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems.

Enhancements

CM-6 (1) Automated Central Management / Application / Verification

HIGH

The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for Assignment: organization-defined information system components.

CM-6 (2) Respond To Unauthorized Changes

HIGH

Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring established configuration settings, or in extreme cases, halting affected information system processing.

The organization employs Assignment: organization-defined security safeguards to respond to unauthorized changes to Assignment: organization-defined configuration settings.

CM-6 (3) Unauthorized Change Detection

Withdrawn: Incorporated into SI-7.

CM-6 (4) Conformance Demonstration

Withdrawn: Incorporated into CM-4.