home || catalog: SP800-53rev3 / class: Operational / family: (CM) Configuration Management ||
search controls:
search nistpubs:


CM-06 *


  CM-06: Configuration Settings  

base control objective:
The organization:
a. Establishes and documents mandatory configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
b. Implements the configuration settings;
c. Identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within the information system based on explicit operational requirements;
d. Enforces the configuration settings in all components of the information system; and
e. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

supplemental objective information:
Configuration settings are the configurable security-related parameters of information technology products that are part of the information system. Security-related parameters are those parameters impacting the security state of the system including parameters related to meeting other security control requirements. Security-related parameters include for example, registry settings; account, file, and directory settings (i.e., permissions); and settings for services, ports, protocols, and remote connections. Organizations establish organization-wide mandatory configuration settings from which the settings for a given information system are derived. A security configuration checklist (sometimes referred to as a lockdown guide, hardening guide, security guide, security technical implementation guide [STIG], or benchmark) is a series of instructions or procedures for configuring an information system component to meet operational requirements. Checklists can be developed by information technology developers and vendors, consortia, academia, industry, federal agencies (and other government organizations), and others in the public and private sectors. An example of a security configuration checklist is the OMB mandated Federal Desktop Core Configuration (FDCC) which potentially affects not only CM-6, but also other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and defined standards within the protocol (e.g., Common Configuration Enumeration), provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy and provides guidance on configuration requirements for federal information systems (e.g., Federal Desktop Core Configuration). There are many security controls potentially affected by the mandatory requirements in the Federal Desktop Core Configuration (e.g., AC-19, CM-7).

enhancements to the base objective:

(1) The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings.

(2) The organization employs automated mechanisms to respond to unauthorized changes to [Assignment: organization-defined configuration settings].
Enhancement Supplemental Guidance: Responses to unauthorized changes to configuration settings can include, for example, alerting designated organizational personnel, restoring mandatory/organization-defined configuration settings, or in the extreme case, halting affected information system processing.

(3) The organization incorporates detection of unauthorized, security-relevant configuration changes into the organization’s incident response capability to ensure that such detected events are tracked, monitored, corrected, and available for historical purposes.
Enhancement Supplemental Guidance: The information system (including modifications to the baseline configuration) demonstrates conformance to security configuration guidance (i.e., security checklists), prior to being introduced into a production environment.

mapping to FIPS199 baseline:

  LOW: base     MOD: base (3)     HIGH: base (1) (2) (3)  

related (regimented) controls:

CM-02   Baseline Configuration
CM-03   Configuration Change Control
SI-04   Information System Monitoring

documents referenced in SP800-53rev3 for CM-06:

Document Date Status Title
NIST SP800-121 June, 2012 current   Guide to Bluetooth Security
NIST SP800-40 November, 2005 current   Creating a Patch and Vulnerability Management Program
NIST SP800-44 September 2002 current   Guidelines on Securing Public Web Servers
NIST SP800-45 August, 2006 DRAFT   Guidelines on Electronic Mail Security
NIST SP800-48 July, 2008 current   Wireless Network Security: 802.11, Bluetooth, and Handheld Devices
NIST SP800-54 September, 2006 DRAFT   Border Gateway Protocol Security
NIST SP800-70 September, 2009 current   Security Configuration Checklists Program for IT Products - Guidance for Checklists Users and Developers
NIST SP800-81 August, 2010 current   Secure Domain Name System (DNS) Deployment Guide
NIST SP800-82 June, 2011 current   Guide to Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems Security
NIST SP800-83 September, 2006 current   Guide to Malware Incident Prevention and Handling

Search SP800-53rev3 catalog: