>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CM-12Information Location

Moderate
High

>Control Description

a

Identify and document the location of organization-defined information and the specific system components on which the information is processed and stored;

b

Identify and document the users who have access to the system and system components where the information is processed and stored; and

c

Document changes to the location (i.e., system or system components) where the information is processed and stored.

>FedRAMP Baseline Requirements

Additional Requirements and Guidance

CM-12 Requirement: According to FedRAMP Authorization Boundary Guidance

>Discussion

Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see FIPS 199).

The location of the information and system components is also a factor in the architecture and design of the system (see SA-4, SA-8, SA-17).

>Cross-Framework Mappings

SCF

DCH-24
Compare

>Programmatic Queries

Beta

Related Services

Resource Groups
Config
Macie

CLI Commands

List resources by region
aws resourcegroupstaggingapi get-resources --region REGION
Check S3 bucket locations
for bucket in $(aws s3api list-buckets --query 'Buckets[*].Name' --output text); do echo "$bucket: $(aws s3api get-bucket-location --bucket $bucket --query 'LocationConstraint' --output text)"; done
List RDS instances by region
aws rds describe-db-instances --query 'DBInstances[*].{Id:DBInstanceIdentifier,AZ:AvailabilityZone,Region:DBInstanceArn}'
Check data classification with Macie
aws macie2 list-findings --finding-criteria '{"criterion":{"classificationDetails.result.sensitiveData.category":{"eq":["FINANCIAL_INFORMATION"]}}}'
Open AWS ConsoleDocumentation

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CM-12 (Information Location)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CM-12?
  • How frequently is the CM-12 policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CM-12?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CM-12 requirements.
  • What automated tools, systems, or technologies are deployed to implement CM-12?
  • How is CM-12 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CM-12 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CM-12?
  • What audit logs, records, reports, or monitoring data validate CM-12 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CM-12 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CM-12 compliance?

Ask AI

Configure your API key to use AI features.