Show/Hide Toolbars

ABCI Consultants

Guidance for NIST 800-171 Assessment & Compliance

Navigation: CM-FAMILY: CONFIGURATION MANAGEMENT

CM-7(1) LEAST FUNCTIONALITY  |  PERIODIC REVIEW
Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

 

 

 

 

 

 

 

 

 

 

 

 

###

cm-7(1)

least functionality  | periodic review

 

assessment objective:

Determine if the organization:

cm-7(1)(a)

cm-7(1)(a)[1]

defines the frequency to review the information system to identify unnecessary and/or nonsecure:

cm-7(1)(a)[1][a]

functions;

cm-7(1)(a)[1][b]

ports;

cm-7(1)(a)[1][c]

protocols; and/or

cm-7(1)(a)[1][d]

services;

cm-7(1)(a)[2]

reviews the information system with the organization-defined frequency to identify unnecessary and/or nonsecure:

cm-7(1)(a)[2][a]

functions;

cm-7(1)(a)[2][b]

ports;

cm-7(1)(a)[2][c]

protocols; and/or

cm-7(1)(a)[2][d]

services;

cm-7(1)(b)

cm-7(1)(b)[1]

defines, within the information system, unnecessary and/or nonsecure:

cm-7(1)(b)[1][a]

functions;

cm-7(1)(b)[1][b]

ports;

cm-7(1)(b)[1][c]

protocols; and/or

cm-7(1)(b)[1][d]

services;

cm-7(1)(b)[2]

disables organization-defined unnecessary and/or nonsecure:

cm-7(1)(b)[2][a]

functions;

cm-7(1)(b)[2][b]

ports;

cm-7(1)(b)[2][c]

protocols; and/or

cm-7(1)(b)[2][d]

services.

potential assessment methods and objects:

Examine: [select from: Configuration management policy; procedures addressing least functionality in the information system; configuration management plan; security plan; information system design documentation; information system configuration settings and associated documentation; security configuration checklists; documented reviews of functions, ports, protocols, and/or services; change control records; information system audit records; other relevant documents or records].

Interview: [select from: Organizational personnel with responsibilities for reviewing functions, ports, protocols, and services on the information system; organizational personnel with information security responsibilities; system/network administrators].

Test: [select from: Organizational processes for reviewing/disabling nonsecure functions, ports, protocols, and/or services; automated mechanisms implementing review and disabling of nonsecure functions, ports, protocols, and/or services].

 

 

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056