Navigate

CCI-000292

CCI-000292 Definition

Review and update, on an organization-defined frequency, the procedures to facilitate the implementation of the organization-level; mission/business process-level; and/or system-level configuration management policy and associated configuration management controls.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - configuration management procedures to facilitate the implementation of the configuration management policy and associated configuration management controls are developed and documented. - the configuration management procedures are disseminated to [CM-01_ODP[02]; personnel or roles to whom the configuration management procedures are to be disseminated is/are defined].

Validation Procedures

Examine: [SELECT FROM: Configuration management policy and procedures; security and privacy program policies and procedures; assessment or audit findings; documentation of security incidents or breaches; system security plan; privacy plan; risk management strategy; other relevant artifacts, documents, or records]. Interview: [SELECT FROM: Organizational personnel with configuration management responsibilities; organizational personnel with information security and privacy responsibilities].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000292.

Control	Description
CM-1	a: Develop, document, and disseminate to [one of ]: 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] configuration management policy that: (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and 2: Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls; b: Designate an [an official to manage the configuration management policy and procedures is defined;] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and c: Review and update the current configuration management: 1: Policy [the frequency at which the current configuration management policy is reviewed and updated is defined;] and following [events that would require the current configuration management policy to be reviewed and updated are defined;] ; and 2: Procedures [the frequency at which the current configuration management procedures are reviewed and updated is defined;] and following [events that would require configuration management procedures to be reviewed and updated are defined;].

Control

Description

CM-1

a: Develop, document, and disseminate to [one of ]:
- 1: [one or more of "organization-level"/"mission/business process-level"/"system-level"] configuration management policy that:
  - (a): Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
  - (b): Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
- 2: Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;

b: Designate an [an official to manage the configuration management policy and procedures is defined;] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and

c: Review and update the current configuration management:
- 1: Policy [the frequency at which the current configuration management policy is reviewed and updated is defined;] and following [events that would require the current configuration management policy to be reviewed and updated are defined;] ; and
- 2: Procedures [the frequency at which the current configuration management procedures are reviewed and updated is defined;] and following [events that would require configuration management procedures to be reviewed and updated are defined;].