Navigate

CCI-000292

CCI-000292 Definition

The organization reviews and updates, on an organization-defined frequency, the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed reviews and updates, annually, the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls. The organization must document each occurrence of the reviews and update actions as an audit trail. DoD has defined the frequency as annually.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines documentation of occurrence of reviews and update actions for the procedures to facilitate the implementation of the configuration management policy and associated configuration management controls to ensure annual review and necessary updates are occurring. DoD has defined the frequency as annually.

Compelling Evidence

1.) Signed and dated configuration management policies with change log referenced

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000292.

Control	Description
CM-1	The organization: CM-1a.: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: CM-1a.1.: A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and CM-1a.2.: Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and CM-1b.: Reviews and updates the current: CM-1b.1.: Configuration management policy [Assignment: organization-defined frequency]; and CM-1b.2.: Configuration management procedures [Assignment: organization-defined frequency].

Control

Description

CM-1

The organization:

CM-1a.: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
- CM-1a.1.: A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- CM-1a.2.: Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and

CM-1b.: Reviews and updates the current:
- CM-1b.1.: Configuration management policy [Assignment: organization-defined frequency]; and
- CM-1b.2.: Configuration management procedures [Assignment: organization-defined frequency].