CM-09: Configuration Management Plan
base control objective:
The organization develops, documents, and implements a configuration management plan for the information system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Defines the configuration items for the information system and when in the system development life cycle the configuration items are placed under configuration management; and
c. Establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the configuration of the configuration items.
supplemental objective information:
Configuration items are the information system items (hardware, software, firmware, and documentation) to be configuration managed. The configuration management plan satisfies the requirements in the organization’s configuration management policy while being tailored to the individual information system. The configuration management plan defines detailed processes and procedures for how configuration management is used to support system development life cycle activities at the information system level. The plan describes how to move a change through the change management process, how configuration settings and configuration baselines are updated, how the information system component inventory is maintained, how development, test, and operational environments are controlled, and finally, how documents are developed, released, and updated. The configuration management approval process includes designation of key management stakeholders that are responsible for reviewing and approving proposed changes to the information system, and security personnel that would conduct an impact analysis prior to the implementation of any changes to the system.
enhancements to the base objective:
(1) The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.
Enhancement Supplemental Guidance: In the absence of a dedicated configuration management team, the system integrator may be tasked with developing the configuration management process.
mapping to FIPS199 baseline:
related (regimented) controls:
Developer Configuration Management|
documents referenced in SP800-53rev3 for CM-09: