Configuration Management¶

• a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
  • 1. [Selection: one or more of: organization-level; mission/business process-level; system-level] configuration management policy that:
    • (a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
    • (b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
  • 2. Procedures to facilitate the implementation of the configuration management policy and the associated configuration management controls;
• b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the configuration management policy and procedures; and
• c. Review and update the current configuration management:
  • 1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
  • 2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events].

• a. Develop and document an inventory of system components that:
  • 1. Accurately reflects the system;
  • 2. Includes all components within the system;
  • 3. Does not include duplicate accounting of components or components assigned to any other system;
  • 4. Is at the level of granularity deemed necessary for tracking and reporting; and
  • 5. Includes the following information to achieve system component accountability: [Assignment: organization-defined information]; and
• b. Review and update the system component inventory [Assignment: organization-defined frequency].

• a. Establish [Assignment: organization-defined policies] governing the installation of software by users;
• b. Enforce software installation policies through the following methods: [Assignment: organization-defined methods]; and
• c. Monitor policy compliance [Assignment: organization-defined frequency].

• a. Identify and document the location of [Assignment: organization-defined information] and the specific system components on which the information is processed and stored;
• b. Identify and document the users who have access to the system and system components where the information is processed and stored; and
• c. Document changes to the location (i.e., system or system components) where the information is processed and stored.

Use automated tools to identify [Assignment: organization-defined information by information type] on [Assignment: organization-defined system components] to ensure controls are in place to protect organizational information and individual privacy.

Prevent the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.