CCI-003947

Implementation Guidance

Determine if: - configuration settings for [CM-06(01)_ODP[01]; system components for which to manage, apply, and verify configuration settings are defined] are managed using [CM-06(01)_ODP[02]; automated mechanisms to manage configuration settings are defined]. - configuration settings for [CM-06(01)_ODP[01]; system components for which to manage, apply, and verify configuration settings are defined] are applied using [CM-06(01)_ODP[03]; automated mechanisms to apply configuration settings are defined]. - configuration settings for [CM-06(01)_ODP[01]; system components for which to manage, apply, and verify configuration settings are defined] are verified using [CM-06(01)_ODP[04]; automated mechanisms to verify configuration settings are defined].

Validation Procedures

Examine: [SELECT FROM: Configuration management policy; procedures addressing configuration settings for the system; configuration management plan; system design documentation; system configuration settings and associated documentation; system component inventory; common secure configuration checklists; change control records; system audit records; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with security configuration management responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; system developers]. Test: [SELECT FROM: Organizational processes for managing configuration settings; automated mechanisms implemented to manage, apply, and verify system configuration settings].