Navigate

CM-6(2)

CM-6(2): Respond to Unauthorized Changes

Take the following actions in response to unauthorized changes to [configuration settings requiring action upon an unauthorized change are defined;]: [actions to be taken upon an unauthorized change are defined;].

Supplemental

Responses to unauthorized changes to configuration settings include alerting designated organizational personnel, restoring established configuration settings, or—in extreme cases—halting affected system processing.

CIA Levels
Confidentiality	unknown
Integrity	high
Availability	unknown

Overlays
DAF Baseline

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to CM-6(2).

Control	Description
IR-4	a: Implement an incident handling capability for incidents that is consistent with the incident response plan and includes preparation, detection and analysis, containment, eradication, and recovery; b: Coordinate incident handling activities with contingency planning activities; c: Incorporate lessons learned from ongoing incident handling activities into incident response procedures, training, and testing, and implement the resulting changes accordingly; and d: Ensure the rigor, intensity, scope, and results of incident handling activities are comparable and predictable across the organization.
IR-6	a: Require personnel to report suspected incidents to the organizational incident response capability within [time period for personnel to report suspected incidents to the organizational incident response capability is defined;] ; and b: Report incident information to [authorities to whom incident information is to be reported are defined;].
SI-7	a: Employ integrity verification tools to detect unauthorized changes to the following software, firmware, and information: [one of ] ; and b: Take the following actions when unauthorized changes to the software, firmware, and information are detected: [one of ].

Enhancements

The controls below (if any) add on to the requirements of CM-6(2).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-6(2).

CCI	Definition
CCI-001757	Defines the actions to employ when responding to unauthorized changes to the organization-defined configuration settings.
CCI-001758	Defines the configuration settings for which to employ organization-defined actions in response to unauthorized changes.
CCI-001759	Take organization-defined actions in response to unauthorized changes to organization-defined configuration settings.