Navigate

CCI-000363

CCI-000363 Definition

The organization defines security configuration checklists to be used to establish and document configuration settings for the information system technology products employed.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc). The organization being inspected/assessed documents in the security plan, the configuration guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc) which apply to their information system components.

Validation Procedures

DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, SRGs, NSA configuration guides, CTOs, DTMs etc). The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed has documented the configuration guidance which apply to their information system components. The organization conducting the inspection/assessment reviews the list of documented guidance to ensure that all applicable guidance is identified given the information system components within the authorization boundary.

Compelling Evidence

1.) Signed and dated security configuration checklist

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000363.

Control	Description
CM-6	The organization: CM-6a.: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; CM-6b.: Implements the configuration settings; CM-6c.: Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and CM-6d.: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

Control

Description

CM-6

The organization:

CM-6a.: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;

CM-6b.: Implements the configuration settings;

CM-6c.: Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and

CM-6d.: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.