Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
cm-6 |
configuration settings |
|||
|
assessment objective: Determine if the organization: |
|||
cm-6(a) |
cm-6(a)[1] |
defines security configuration checklists to be used to establish and document configuration settings for the information technology products employed; |
||
cm-6(a)[2] |
ensures the defined security configuration checklists reflect the most restrictive mode consistent with operational requirements; |
|||
cm-6(a)[3] |
establishes and documents configuration settings for information technology products employed within the information system using organization-defined security configuration checklists; |
|||
cm-6(b) |
implements the configuration settings established/documented in CM-6(a);; |
|||
cm-6(c) |
cm-6(c)[1] |
defines information system components for which any deviations from established configuration settings must be: |
||
cm-6(c)[1][a] |
identified; |
|||
cm-6(c)[1][b] |
documented; |
|||
cm-6(c)[1][c] |
approved; |
|||
cm-6(c)[2] |
defines operational requirements to support: |
|||
cm-6(c)[2][a] |
the identification of any deviations from established configuration settings; |
|||
cm-6(c)[2][b] |
the documentation of any deviations from established configuration settings; |
|||
cm-6(c)[2][c] |
the approval of any deviations from established configuration settings; |
|||
cm-6(c)[3] |
identifies any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements; |
|||
cm-6(c)[4] |
documents any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements; |
|||
cm-6(c)[5] |
approves any deviations from established configuration settings for organization-defined information system components based on organizational-defined operational requirements; |
|||
cm-6(d) |
cm-6(d)[1] |
monitors changes to the configuration settings in accordance with organizational policies and procedures; and |
||
cm-6(d)[2] |
controls changes to the configuration settings in accordance with organizational policies and procedures. |
|||
potential assessment methods and objects: Examine: [select from: Configuration management policy; procedures addressing configuration settings for the information system; configuration management plan; security plan; information system design documentation; information system configuration settings and associated documentation; security configuration checklists; evidence supporting approved deviations from established configuration settings; change control records; information system audit records; other relevant documents or records]. Interview: [select from: Organizational personnel with security configuration management responsibilities; organizational personnel with information security responsibilities; system/network administrators]. Test: [select from: Organizational processes for managing configuration settings; automated mechanisms that implement, monitor, and/or control information system configuration settings; automated mechanisms that identify and/or document deviations from established configuration settings]. |
||||
