Under active development — Content is continuously updated and improved

Home / Frameworks / NIST SP 800-53 / CM — Configuration Management

CM — Configuration Management

66 controls in the Configuration Management family

CM-1Policy And Procedures

CM-2Baseline Configuration

CM-2(1)Reviews And Updates

CM-2(2)Automation Support For Accuracy And Currency

CM-2(3)Retention Of Previous Configurations

CM-2(4)Unauthorized Software

CM-2(5)Authorized Software

CM-2(6)Development And Test Environments

CM-2(7)Configure Systems And Components For High-Risk Areas

CM-3Configuration Change Control

CM-3(1)Automated Documentation, Notification, And Prohibition Of Changes

CM-3(2)Testing, Validation, And Documentation Of Changes

CM-3(3)Automated Change Implementation

CM-3(4)Security And Privacy Representatives

CM-3(5)Automated Security Response

CM-3(6)Cryptography Management

CM-3(7)Review System Changes

CM-3(8)Prevent Or Restrict Configuration Changes

CM-4Impact Analyses

CM-4(1)Separate Test Environments

CM-4(2)Verification Of Controls

CM-5Access Restrictions For Change

CM-5(1)Automated Access Enforcement And Audit Records

CM-5(2)Review System Changes

CM-5(3)Signed Components

CM-5(4)Dual Authorization

CM-5(5)Privilege Limitation For Production And Operation

CM-5(6)Limit Library Privileges

CM-5(7)Automatic Implementation Of Security Safeguards

CM-6Configuration Settings

CM-6(1)Automated Management, Application, And Verification

CM-6(2)Respond To Unauthorized Changes

CM-6(3)Unauthorized Change Detection

CM-6(4)Conformance Demonstration

CM-7Least Functionality

CM-7(1)Periodic Review

CM-7(2)Prevent Program Execution

CM-7(3)Registration Compliance

CM-7(4)Unauthorized Software -- Deny-By-Exception

CM-7(5)Authorized Software -- Allow-By-Exception

CM-7(6)Confined Environments With Limited Privileges

CM-7(7)Code Execution In Protected Environments

CM-7(8)Binary Or Machine Executable Code

CM-7(9)Prohibiting The Use Of Unauthorized Hardware

CM-8System Component Inventory

CM-8(1)Updates During Installation And Removal

CM-8(2)Automated Maintenance

CM-8(3)Automated Unauthorized Component Detection

CM-8(4)Accountability Information

CM-8(5)No Duplicate Accounting Of Components

CM-8(6)Assessed Configurations And Approved Deviations

CM-8(7)Centralized Repository

CM-8(8)Automated Location Tracking

CM-8(9)Assignment Of Components To Systems

CM-9Configuration Management Plan

CM-9(1)Assignment Of Responsibility

CM-10Software Usage Restrictions

CM-10(1)Open-Source Software

CM-11User-Installed Software

CM-11(1)Alerts For Unauthorized Installations

CM-11(2)Software Installation With Privileged Status

CM-11(3)Automated Enforcement And Monitoring

CM-12Information Location

CM-12(1)Automated Tools To Support Information Location

CM-13Data Action Mapping

CM-14Signed Components

← Back to all controls