Guidance for NIST 800-171 Assessment & Compliance
Table E-5: Tailoring Actions for Configuration Management Controls35
NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS |
TAILORING |
|
CM-1 |
Configuration Management Policy and Procedures |
NFO |
CM-2 |
Baseline Configuration |
CUI |
CM-2(1) |
BASELINE CONFIGURATION | REVIEWS AND UPDATES |
NFO |
CM-2(3) |
BASELINE CONFIGURATION | RETENTION OF PREVIOUS CONFIGURATIONS |
NCO |
CM-2(7) |
BASELINE CONFIGURATION | CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS |
NFO |
CM-3 |
Configuration Change Control |
CUI |
CM-3(2) |
CONFIGURATION CHANGE CONTROL | TEST / VALIDATE / DOCUMENT CHANGES |
NFO |
CM-4 |
Security Impact Analysis |
CUI |
CM-5 |
Access Restrictions for Change |
CUI |
CM-6 |
Configuration Settings |
CUI |
CM-7 |
Least Functionality |
CUI |
CM-7(1) |
LEAST FUNCTIONALITY | PERIODIC REVIEW |
CUI |
CM-7(2) |
LEAST FUNCTIONALITY | PREVENT PROGRAM EXECUTION |
CUI |
CM-7(4)(5) |
LEAST FUNCTIONALITY | UNAUTHORIZED OR AUTHORIZED SOFTWARE / BLACKLISTING OR WHITELISTING |
CUI |
CM-8 |
Information System Component Inventory |
CUI |
CM-8(1) |
INFORMATION SYSTEM COMPONENT INVENTORY | UPDATES DURING INSTALLATIONS / REMOVALS |
CUI |
CM-8(3) |
INFORMATION SYSTEM COMPONENT INVENTORY | AUTOMATED UNAUTHORIZED COMPONENT DETECTION |
NCO |
CM-8(5) |
INFORMATION SYSTEM COMPONENT INVENTORY | NO DUPLICATE ACCOUNTING OF COMPONENTS |
NFO |
CM-9 |
Configuration Management Plan |
NFO |
CM-10 |
Software Usage Restrictions |
NCO |
CM-11 |
User-Installed Software |
CUI |
