CM-2(7)—Configure Systems And Components For High-Risk Areas

MODERATE

HIGH

>Control Description

Issue ⚙organization-defined systems or system components with ⚙organization-defined configurations to individuals traveling to locations that the organization deems to be of significant risk; and

Apply the following controls to the systems or components when the individuals return from travel: ⚙organization-defined controls.

>Cross-Framework Mappings

SCF

CFG-02.5

Compare

>Programmatic Queries

Beta

Related Services

AWS Config

AWS Security Hub

CLI Commands

Evaluate compliance for high-risk EC2 configurations

aws configservice describe-compliance-by-config-rule --region us-east-1

Get Security Hub findings for configuration issues

aws securityhub get-findings --filters '{"SeverityLabel": [{"Value": "CRITICAL", "Comparison": "EQUALS"}]}' --region us-east-1

Put Config rule for high-risk resource validation

aws configservice put-config-rule --config-rule file://high-risk-rule.json --region us-east-1

Open AWS Console Documentation

>Supplemental Guidance

When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed.

Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the MP (Media Protection) family.

>Related Controls

MP-4

MP-5

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What formal policies and procedures govern the implementation of CM-2(7) (Configure Systems And Components For High-Risk Areas)?
•Who are the designated roles responsible for implementing, maintaining, and monitoring CM-2(7)?
•How frequently is the CM-2(7) policy reviewed and updated, and what triggers policy changes?
•What training or awareness programs ensure personnel understand their responsibilities related to CM-2(7)?

Technical Implementation:

•Describe the specific technical mechanisms or controls used to enforce CM-2(7) requirements.
•What automated tools, systems, or technologies are deployed to implement CM-2(7)?
•How is CM-2(7) integrated into your system architecture and overall security posture?
•What configuration settings, parameters, or technical specifications enforce CM-2(7) requirements?

Evidence & Documentation:

•What documentation demonstrates the complete implementation of CM-2(7)?
•What audit logs, records, reports, or monitoring data validate CM-2(7) compliance?
•Can you provide evidence of periodic reviews, assessments, or testing of CM-2(7) effectiveness?
•What artifacts would you present during a FedRAMP assessment to demonstrate CM-2(7) compliance?

Ask AI

Configure your API key to use AI features.