CCI-000368

The organization documents any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.

Implementation Guidance

The organization being inspected/assessed documents in the security plan and POAandM, if applicable, all configurable information system components which deviate from configuration settings, and which settings as defined in CM-6, CCI 1756. DoD has defined the information system components as all configurable information system components.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the security plan to ensure the organization being inspected/assessed has documented deviations from configuration settings for information system components.

Compelling Evidence

1.) Example POA&M

The controls below (if any) were marked by NIST as being related to CCI-000368.