CM-06 Configuration Settings

Control: The organization: (i) establishes mandatory configuration settings for information technology products employed within the information system; (ii) configures the security settings of information technology products to the most restrictive mode consistent with operational requirements; (iii) documents the configuration settings; and (iv) enforces the configuration settings in all components of the information system.

Supplemental Guidance: Configuration settings are the configurable parameters of the information technology products that compose the information system. Organizations monitor and control changes to the configuration settings in accordance with organizational policies and procedures. OMB FISMA reporting instructions provide guidance on configuration requirements for federal information systems. NIST Special Publication 800-70 provides guidance on producing and using configuration settings for information technology products employed in organizational information systems. Related security controls: CM-2, CM-3, SI-4.

Control Enhancements: (1) The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings.

Baseline: LOW CM-6 MOD CM-6 HIGH CM-6 (1)

Family: Configuration Management

Class: Operational

ISO 17799 mapping: None.

COBIT 4.1 mapping: None.

PCI-DSS v2 mapping: 2.2, 2.2.3