System Security Plan (ssp) Categorization: Moderate-Low-Low


Configuration Management (CM)



Download 0.65 Mb.
Page9/16
Date02.05.2018
Size0.65 Mb.
#47206
1   ...   5   6   7   8   9   10   11   12   ...   16

Configuration Management (CM)

  1. CM-1 – Configuration Management Policy and Procedures


Program-specific policies and procedures shall be included in the specific security controls listed below. There is no requirement for the Program to develop additional policy to meet the -1 control.
Recommended Continuous Monitoring Frequency: Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

      1. CM-2 – Baseline Configuration


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

CM-2(1) – Baseline Configuration: Reviews & Updates


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

      1. CM-3 – Configuration Change Control


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:




  1. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses

Click here to enter text.

  1. Documents configuration change decisions associated with the information system

Click here to enter text.

  1. Implements approved configuration-controlled changes to the information system

Click here to enter text.

  1. Retains records of configuration-controlled changes to the information system for the life of the system

Click here to enter text.

  1. Audits and reviews activities associated with configuration-controlled changes to the information system

Click here to enter text.

  1. Coordinate and provide oversight for configuration change control activities through establishment of a group of individuals with the collective responsibility and authority to review and approve proposed changes to the IS that convenes as defined in the local SSP and when there is a significant change to the system or the environment in which the system operates. This could be a function overseen only by the ISSM and/or ISSO/AO.

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

CM-3(4) – Configuration Change Control: Security Representative


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

CM-3(6) – Configuration Change Control: Cryptography Management


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

      1. CM-4 – Security Impact Analysis


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

      1. CM-5 – Access Restrictions for Change


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

CM-5(5) – Access Restrictions for Change: Limit Production/Operational Privileges


After a relevance determination, this control can be tailored out for standalone IS with a single user.

Recommended Continuous Monitoring Frequency: Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

CM-5(6) – Access Restrictions for Change: Limit Library Privileges


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

      1. CM-6 – Configuration Settings


Recommended Continuous Monitoring Frequency: Semi-Annual

Program Frequency:




  1. Implements the configuration settings

Click here to enter text.

  1. Identifies, documents, and approves any deviations from established configuration settings for all configurable IS components based on mission requirements

Click here to enter text.

  1. Develop, document, monitors and control changes to the configuration settings in accordance with organizational policies and procedures.

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.


      1. CM-7 – Least Functionality


Recommended Continuous Monitoring Frequency: Semi-Annual

Program Frequency:




  1. Prohibits or restricts the use of ports, protocols, and services using least functionality. Ports will be denied access by default, and allow access by exception as documented in the system security plan.

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

CM-7(1) – Least Functionality: Periodic Review


After a relevance determination, this control can be tailored out for standalone IS.

Recommended Continuous Monitoring Frequency: Semi-Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

CM-7(2) – Least Functionality: Prevent Program Execution


After a relevance determination, this control can be tailored out for standalone IS.

Recommended Continuous Monitoring Frequency: Semi-Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

CM-7(3) – Least Functionality: Registration Compliance


After a relevance determination, this control can be tailored out for standalone IS.

Recommended Continuous Monitoring Frequency: Semi-Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

CM-7(5) – Least Functionality: Authorized Software/Whitelisting


Recommended Continuous Monitoring Frequency: Semi-Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

      1. CM-8 – Information System Component Inventory


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:




  1. Reviews and updates the information system component inventory whenever a change is made to the inventory

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

CM-8(2) – Information System Component Inventory: Automated Maintenance


After a relevance determination, this control can be tailored out for standalone IS.

Recommended Continuous Monitoring Frequency: Semi-Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

CM-8(3) – Information System Component Inventory: Automated Unauthorized Component Detection


After a relevance determination, this control can be tailored out for standalone IS.

Recommended Continuous Monitoring Frequency: Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

      1. CM-9 – Configuration Management Plan


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:



Establishes a process for identifying configuration items throughout the system development life cycle

Click here to enter text.

Defines the configuration items for the information system and places the configuration items under configuration management;

Click here to enter text.

Protects the configuration management plan from unauthorized disclosure and modification;

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

      1. CM-10 – Software Usage Restrictions


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:




  1. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution

Click here to enter text.



  1. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for unauthorized distribution, display, performance, or reproduction of copyrighted work.

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

CM-10(1) – Software Usage Restrictions: Open Source Software


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.

      1. CM-11 – User Installed Software


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:




  1. Define and document the methods employed to enforce the installation policies either through system configuration settings or manual oversight

Click here to enter text.



  1. Monitors policy compliance at the approved continuous monitoring interval quarterly.

Click here to enter text.

CONTINUOUS MONITORING STRATEGY

Click here to enter text.

CM-11(2) – User Installed Software: Prohibit Installation with Privileged Status


Recommended Continuous Monitoring Frequency: Annual

Program Frequency:



CONTINUOUS MONITORING STRATEGY

Click here to enter text.



    1. Download 0.65 Mb.

      Share with your friends:
1   ...   5   6   7   8   9   10   11   12   ...   16




The database is protected by copyright ©ininet.org 2024
send message

    Main page