This document provides requirements for the configuration management process which is required to assure that sufficient controls are in place to manage initial and ongoing configuration changes to information systems.

The Configuration Management Plan (CM001) is developed to define, document, control, implement, account for, and audit changes to the various components of the information system.


The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.


The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. The Change Management Process shall be used to track potential security issues. Any changes made to production will be reviewed and any risks identified as medium or high will be remediated prior to push to production unless an exception is granted by the CISO.


The organization:

  1. Establishes and documents configuration settings for information technology products (Reference Information System Components CM001) employed within the information system using CIS Benchmarks and http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc that reflect the most restrictive mode consistent with operational requirements
  2. Implements the configuration settings
  3. Identifies, documents, and approves any deviations from established configuration settings for information system components (Reference CM001) based on vendor recommendations
  4. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.


The organization:

  1. Configures the information system to provide only essential capabilities
  2. Prohibits or restricts the use of the following functions, ports, protocols, and/or services to only https over ports 22 and 443 unless approved via exception (via the Change Management Process). Exceptions are approved by the CISO (using CIS Benchmarks and http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc as a reference).


The organization:

  1. Develops and documents an inventory of Information System Components (CM002) that:
    1. Accurately reflects the current information system
    2. Includes all components within the authorization boundary of the information system
    3. Is at the level of granularity deemed necessary for tracking and reporting
  2. Reviews and updates the information system component inventory quarterly


The organization:

  1. Uses software and associated documentation in accordance with contract agreements and copyright laws
  2. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution. Reference Approved Software Inventory (CM003).
  3. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.


The organization:

  1. Establishes policy governing the installation of software by users (CM003)
  2. Enforces software installation policies through IT audits of workstation
  3. Monitors policy compliance on an annual basis


  • Quarterly Management Review (MR001) includes assessment of CM002 and CM003
  • Annual Management Review (MR002) includes review of this policy and CM001