Navigate

CCI-001756

CCI-001756 Definition

The organization defines the operational requirements on which the configuration settings for the organization-defined information system components are to be based.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed must define and document in the system security plan, the requirements which may deviate from the approved configuration settings on the information system components defined in CM-6, CCI 1755. DoD has determined that it is not appropriate to define at the Enterprise level.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the system security plan to ensure the organization being inspected/assessed defines the requirements which may deviate from the approved configuration settings on the information system components defined in CM-6, CCI 1755. DoD has determined that it is not appropriate to define at the Enterprise level.

Compelling Evidence

1.) Signed and dated system security plan (SSP)

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-001756.

Control	Description
CM-6	The organization: CM-6a.: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; CM-6b.: Implements the configuration settings; CM-6c.: Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and CM-6d.: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

Control

Description

CM-6

The organization:

CM-6a.: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;

CM-6b.: Implements the configuration settings;

CM-6c.: Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and

CM-6d.: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.