CM-9—Configuration Management Plan
>Control Description
>FedRAMP Baseline Requirements
Additional Requirements and Guidance
CM-9 Guidance: FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide
>Discussion
Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems.
Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities. Configuration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.
Organizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems.
Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control.
>Cross-Framework Mappings
>Programmatic Queries
Related Services
CLI Commands
aws configservice describe-config-rulesaws configservice describe-conformance-packsaws configservice get-conformance-pack-compliance-summaryaws ssm list-documents --filters Key=Owner,Values=Self>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of CM-9 (Configuration Management Plan)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring CM-9?
- •How frequently is the CM-9 policy reviewed and updated, and what triggers policy changes?
- •What training or awareness programs ensure personnel understand their responsibilities related to CM-9?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce CM-9 requirements.
- •What automated tools, systems, or technologies are deployed to implement CM-9?
- •How is CM-9 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce CM-9 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of CM-9?
- •What audit logs, records, reports, or monitoring data validate CM-9 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of CM-9 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate CM-9 compliance?
Ask AI
Configure your API key to use AI features.