CM – Configuration Management

The RMF Control Family CM, Configuration Management, addresses the need for organizations to manage the configuration of their information systems. Configuration management helps to ensure that information systems are in a known and secure state.

Controls in the CM Control Family

The CM Control Family includes the following controls:

• CM-1: Configuration Management Policy and Procedures: This control requires organizations to develop and implement a configuration management policy and procedures. This policy should define the roles and responsibilities for configuration management, and the process for managing the configuration of information systems.
• CM-2: Baseline Configuration: This control requires organizations to establish a baseline configuration for each information system. The baseline configuration should include all of the hardware, software, and firmware components of the information system, as well as the security settings for those components.
• CM-3: Configuration Change Control: This control requires organizations to implement a process for controlling changes to the configuration of information systems. This process should include steps for identifying, evaluating, approving, implementing, and verifying changes to the configuration of information systems.
• CM-4: Security Impact Analysis: This control requires organizations to conduct a security impact analysis before making changes to the configuration of information systems. The security impact analysis should identify the potential security impacts of the proposed change, and recommend mitigation strategies.
• CM-5: Access Restrictions for Change: This control requires organizations to restrict access to the configuration of information systems to authorized personnel.
• CM-6: Configuration Settings: This control requires organizations to implement and maintain secure configuration settings on all information systems.
• CM-7: Least Functionality: This control requires organizations to implement the least functionality necessary on all information systems.
• CM-8: Information System Component Inventory: This control requires organizations to maintain an inventory of all information system components. This inventory should include information about the hardware, software, and firmware components of each information system.
• CM-9: Configuration Management Plan: This control requires organizations to develop and maintain a configuration management plan for each information system. The configuration management plan should document the configuration management process for the information system.
• CM-10: Software Usage Restrictions: This control requires organizations to restrict the use of software on information systems to authorized software.
• CM-11: User-Installed Software: This control requires organizations to control the installation of software on information systems.
• CM-12: Information Location: This control requires organizations to identify and track the location of all information system components.
• CM-13: Data Action Mapping: This control requires organizations to map data actions to the security controls that protect that data.
• CM-14: Signed Components: This control requires organizations to use signed components on all information systems. This helps to ensure that the components have not been tampered with.

Benefits of Implementing the CM Control Family

There are a number of benefits to implementing the CM Control Family, including:

• Improved security: The CM Control Family helps to improve the security of information systems by ensuring that they are in a known and secure state. This helps to reduce the risk of unauthorized access, use, disclosure, disruption, modification, or destruction of information systems.
• Reduced risk: The CM Control Family helps to reduce the risk of security incidents by identifying and mitigating configuration risks. This can help to protect information systems from cyberattacks and other security threats.
• Compliance: The CM Control Family can help organizations comply with applicable laws and regulations, such as the Federal Information Security Management Act (FISMA) and the Health Insurance Portability and Accountability Act (HIPAA).
• Increased trust: By implementing the CM Control Family, organizations can demonstrate to their customers and partners that they are taking steps to protect their data.

How to Implement the CM Control Family

To implement the CM Control Family, organizations should follow these steps:

1. Develop a configuration management policy and procedures. This policy should define the roles and responsibilities for configuration management, and the process for managing the configuration of information systems.
2. Establish a baseline configuration for each information system. The baseline configuration should include all of the hardware, software, and firmware components of the information system, as well as the security settings for those components.