CM — Configuration Management
34 controls in the Configuration Management family
CM-1Policy and Procedures
LI-SaaS
LOW
MODERATE
HIGH
CM-2Baseline Configuration
LI-SaaS
LOW
MODERATE
HIGH
CM-2 (02)Baseline Configuration | Automation Support for Accuracy and Currency
MODERATE
HIGH
CM-2 (03)Baseline Configuration | Retention of Previous Configurations
MODERATE
HIGH
CM-2 (07)Baseline Configuration | Configure Systems and Components for High-risk Areas
MODERATE
HIGH
CM-3Configuration Change Control
MODERATE
HIGH
CM-3 (01)Configuration Change Control | Automated Documentation, Notification, and Prohibition of Changes
HIGH
CM-3 (02)Configuration Change Control | Testing, Validation, and Documentation of Changes
MODERATE
HIGH
CM-3 (04)Configuration Change Control | Security and Privacy Representatives
MODERATE
HIGH
CM-3 (06)Configuration Change Control | Cryptography Management
HIGH
CM-4Impact Analyses
LI-SaaS
LOW
MODERATE
HIGH
CM-4 (01)Impact Analyses | Separate Test Environments
HIGH
CM-4 (02)Impact Analyses | Verification of Controls
MODERATE
HIGH
CM-5Access Restrictions for Change
LI-SaaS
LOW
MODERATE
HIGH
CM-5 (01)Access Restrictions for Change | Automated Access Enforcement and Audit Records
MODERATE
HIGH
CM-5 (05)Access Restrictions for Change | Privilege Limitation for Production and Operation
MODERATE
HIGH
CM-6Configuration Settings
LI-SaaS
LOW
MODERATE
HIGH
CM-6 (01)Configuration Settings | Automated Management, Application, and Verification
MODERATE
HIGH
CM-6 (02)Configuration Settings | Respond to Unauthorized Changes
HIGH
CM-7Least Functionality
LI-SaaS
LOW
MODERATE
HIGH
CM-7 (01)Least Functionality | Periodic Review
MODERATE
HIGH
CM-7 (02)Least Functionality | Prevent Program Execution
MODERATE
HIGH
CM-7 (05)Least Functionality | Authorized Software -- Allow-by-exception
MODERATE
HIGH
CM-8System Component Inventory
LI-SaaS
LOW
MODERATE
HIGH
CM-8 (01)System Component Inventory | Updates During Installation and Removal
MODERATE
HIGH
CM-8 (02)System Component Inventory | Automated Maintenance
HIGH
CM-8 (03)System Component Inventory | Automated Unauthorized Component Detection
MODERATE
HIGH
CM-8 (04)System Component Inventory | Accountability Information
HIGH
CM-9Configuration Management Plan
MODERATE
HIGH
CM-10Software Usage Restrictions
LI-SaaS
LOW
MODERATE
HIGH
CM-11User-installed Software
LI-SaaS
LOW
MODERATE
HIGH
CM-12Information Location
MODERATE
HIGH
CM-12 (01)Information Location | Automated Tools to Support Information Location
MODERATE
HIGH
CM-14Signed Components
HIGH