Navigate

CCI-000366

CCI-000366 Definition

The organization implements the security configuration settings.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed must develop and document a process for implementing DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc). DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc).

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process to ensure the organization being inspected/assessed implements DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc). The organization conducting the inspection/assessment tests a sampling of information system components to ensure they comply with the required settings. DoD has defined the security configuration checklists as DoD security configuration or implementation guidance (e.g. STIGs, NSA configuration guides, CTOs, DTMs etc).

Compelling Evidence

1.) Applicable STIG/SRG checks

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000366.

Control	Description
CM-6	The organization: CM-6a.: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; CM-6b.: Implements the configuration settings; CM-6c.: Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and CM-6d.: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

Control

Description

CM-6

The organization:

CM-6a.: Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;

CM-6b.: Implements the configuration settings;

CM-6c.: Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and

CM-6d.: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.