Navigate

CCI-003941

CCI-003941 Definition

Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using organization-defined common secure configurations.

Status
Type	CheckType.technical

Master Assessment Datasheet

Implementation Guidance

Determine if configuration settings that reflect the most restrictive mode consistent with operational requirements are established and documented for components employed within the system using [CM-06_ODP[01]; common secure configurations to establish and document configuration settings for components employed within the system are defined].

Validation Procedures

Examine: [SELECT FROM: Configuration management policy; procedures addressing configuration settings for the system; configuration management plan; system design documentation; system configuration settings and associated documentation; common secure configuration checklists; system component inventory; evidence supporting approved deviations from established configuration settings; change control records; system data processing and retention permissions; system audit records; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with security configuration management responsibilities; organizational personnel with privacy configuration management responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators]. Test: [SELECT FROM: Organizational processes for managing configuration settings; mechanisms that implement, monitor, and/or control system configuration settings; mechanisms that identify and/or document deviations from established configuration settings].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003941.

Control	Description
CM-6	a: Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [common secure configurations to establish and document configuration settings for components employed within the system are defined;]; b: Implement the configuration settings; c: Identify, document, and approve any deviations from established configuration settings for [system components for which approval of deviations is needed are defined;] based on [operational requirements necessitating approval of deviations are defined;] ; and d: Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

Control

Description

CM-6

a: Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [common secure configurations to establish and document configuration settings for components employed within the system are defined;];

b: Implement the configuration settings;

c: Identify, document, and approve any deviations from established configuration settings for [system components for which approval of deviations is needed are defined;] based on [operational requirements necessitating approval of deviations are defined;] ; and

d: Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.