Difference between revisions of "Template:Comprehensive Guide to Developing and Implementing a Cybersecurity Plan/A simplified description of NIST Special Publication 800-53 controls, with ties to LIMSpec/Appendix 1.5 Configuration management"
Shawndouglas (talk | contribs) (Created as needed.) |
Shawndouglas (talk | contribs) (Updated for 2023.) |
||
| Line 1: | Line 1: | ||
===Appendix 1.5 Configuration management=== | ===Appendix 1.5 Configuration management=== | ||
====CM-1 | ====CM-1 Policy and procedures==== | ||
This control recommends the organization develop, document, disseminate, review, and update configuration management policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of configuration management action but also to address how those policies and procedures will be implemented, reviewed, and updated. | This control recommends the organization develop, document, disseminate, review, and update configuration management policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of configuration management action but also to address how those policies and procedures will be implemented, reviewed, and updated. | ||
| Line 6: | Line 6: | ||
* [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 61 | * [https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final NIST Special Publications 800-12, Rev. 1], page 61 | ||
* [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 131–37 | * [https://csrc.nist.gov/publications/detail/sp/800-100/final NIST Special Publications 800-100], pages 131–37 | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7. | * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#7._Document_and_records_management LIMSpec 7.1, 7.2] | ||
====CM-2 Baseline configuration==== | ====CM-2 Baseline configuration==== | ||
| Line 19: | Line 19: | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://www. | * [https://www.cisa.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-CCM.pdf Carnegie Mellon University Configuration and Change Management] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128] | * [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128] | ||
* No LIMSpec comp (organizational policy rather than system specification) | * No LIMSpec comp (organizational policy rather than system specification) | ||
====CM-3 (2) Configuration change control: | ====CM-3 (2) Configuration change control: Testing, validation, and documentation of changes==== | ||
This control enhancement recommends the organization test, validate, and document changes to the system before actual implementation on the live system. Operational hardware systems may have to be taken offline or replicated as closely as feasible to test; software systems can often be tested in a separate test environment. In all cases, the organization seeks to minimize impact on active system operations. | This control enhancement recommends the organization test, validate, and document changes to the system before actual implementation on the live system. Operational hardware systems may have to be taken offline or replicated as closely as feasible to test; software systems can often be tested in a separate test environment. In all cases, the organization seeks to minimize impact on active system operations. | ||
| Line 29: | Line 29: | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.15] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#34._System_administration LIMSpec 34.15] | ||
====CM-4 | ====CM-4 Impact analyses==== | ||
This control recommends the organization perform | This control recommends the organization perform impact analyses on the system to determine the extent of potentially undesirable consequences upon implementing proposed changes. This typically requires one or more individuals explicitly familiar with the system, the organization's security plans, and the system's architecture documents. Some revelations may also come from enacting security control CM-3 (2). | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://www. | * [https://www.cisa.gov/sites/default/files/c3vp/crr_resources_guides/CRR_Resource_Guide-CCM.pdf Carnegie Mellon University Configuration and Change Management] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128] | * [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128] | ||
* No LIMSpec comp (organizational policy rather than system specification) | * No LIMSpec comp (organizational policy rather than system specification) | ||
| Line 43: | Line 43: | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.22] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.22] | ||
====CM-5 (1) Access restrictions for change: Automated access enforcement and | ====CM-5 (1) Access restrictions for change: Automated access enforcement and audit records==== | ||
This control enhancement recommends the system allow for the configuration and automated enforcement of access restrictions, as well as the | This control enhancement recommends the system allow for the configuration and automated enforcement of access restrictions, as well as the creation of audit records for the associated enforcement actions. | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.2], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management 32.22, | * [https://www.limswiki.org/index.php/LII:LIMSpec/Maintaining_Laboratory_Workflow_and_Operations#9._Compliance_management LIMSpec 9.2], [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management 32.22, 32.31] | ||
====CM-6 Configuration settings==== | ====CM-6 Configuration settings==== | ||
| Line 53: | Line 53: | ||
'''Additional resources''': | '''Additional resources''': | ||
* [https:// | * [https://ncp.nist.gov/repository NIST's National Checklist Program Repository] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final NIST Special Publications 800-70, Rev. 4] | * [https://csrc.nist.gov/publications/detail/sp/800-70/rev-4/final NIST Special Publications 800-70, Rev. 4] | ||
* [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128] | * [https://csrc.nist.gov/publications/detail/sp/800-128/final NIST Special Publications 800-128] | ||
| Line 59: | Line 59: | ||
====CM-7 Least functionality==== | ====CM-7 Least functionality==== | ||
This control recommends the organization configure the system to apply the principle of "least functionality." As Georgetown University describes it, "[t]he principle of least functionality provides that information systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that information system."<ref name="UISO_UIS203">{{cite web |url=https://security.georgetown.edu/config-mgt-policy/least-functionality-guidelines/ |title=UIS.203.7 Least Functionality Guidelines |work=UIS.203 Configuration Management Policy |publisher=University Information Security Office, Georgetown University |accessdate= | This control recommends the organization configure the system to apply the principle of "least functionality." As Georgetown University describes it, "[t]he principle of least functionality provides that information systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that information system."<ref name="UISO_UIS203">{{cite web |url=https://security.georgetown.edu/config-mgt-policy/least-functionality-guidelines/ |title=UIS.203.7 Least Functionality Guidelines |work=UIS.203 Configuration Management Policy |publisher=University Information Security Office, Georgetown University |accessdate=21 March 2023}}</ref> NIST also notes that organizations can "employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services." | ||
'''Additional resources''': | '''Additional resources''': | ||
| Line 65: | Line 65: | ||
* [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.18] | * [https://www.limswiki.org/index.php/LII:LIMSpec/Security_and_Integrity_of_Systems_and_Operations#32._Configuration_management LIMSpec 32.18] | ||
====CM-8 | ====CM-8 System component inventory==== | ||
This control recommends the organization develop and document a complete inventory of the various components within the authorization boundary of the system. That inventory should accurately portray the current system, have sufficient detail for accountability, and be detailed at a granular enough level for convenient tracking and reporting. The organization should also review and update the inventory in a defined frequency. | This control recommends the organization develop and document a complete inventory of the various components within the authorization boundary of the system. That inventory should accurately portray the current system, have sufficient detail for accountability, and be detailed at a granular enough level for convenient tracking and reporting. The organization should also review and update the inventory in a defined frequency. | ||
Latest revision as of 15:53, 21 March 2023
Appendix 1.5 Configuration management
CM-1 Policy and procedures
This control recommends the organization develop, document, disseminate, review, and update configuration management policies and procedures. It asks organizations to not only address the purpose, scope, roles, responsibilities, and enforcement of configuration management action but also to address how those policies and procedures will be implemented, reviewed, and updated.
Additional resources:
- NIST Special Publications 800-12, Rev. 1, page 61
- NIST Special Publications 800-100, pages 131–37
- LIMSpec 7.1, 7.2
CM-2 Baseline configuration
This control recommends the organization develop, document, and maintain a baseline configuration of the information system and its components, including their network topology and logical placement within the system. The end result should fully reflect the existing enterprise architecture.
Additional resources:
- NIST Special Publications 800-128
- No LIMSpec comp (organizational policy rather than system specification)
CM-3 Configuration change control
This control recommends the organization develop a series of configuration change control steps to ensure that system upgrades and modifications cause little to no impact in the overall cybersecurity strength of the system. NIST specifically recommends the organization determine which system changes are linked to configuration control, review and approve proposed changes, document and retain those decisions, implement the approved changes, and audit and review the changes.
Additional resources:
- Carnegie Mellon University Configuration and Change Management
- NIST Special Publications 800-128
- No LIMSpec comp (organizational policy rather than system specification)
CM-3 (2) Configuration change control: Testing, validation, and documentation of changes
This control enhancement recommends the organization test, validate, and document changes to the system before actual implementation on the live system. Operational hardware systems may have to be taken offline or replicated as closely as feasible to test; software systems can often be tested in a separate test environment. In all cases, the organization seeks to minimize impact on active system operations.
Additional resources:
CM-4 Impact analyses
This control recommends the organization perform impact analyses on the system to determine the extent of potentially undesirable consequences upon implementing proposed changes. This typically requires one or more individuals explicitly familiar with the system, the organization's security plans, and the system's architecture documents. Some revelations may also come from enacting security control CM-3 (2).
Additional resources:
- Carnegie Mellon University Configuration and Change Management
- NIST Special Publications 800-128
- No LIMSpec comp (organizational policy rather than system specification)
CM-5 Access restrictions for change
This control recommends the organization define, document, approve, and enforce all the physical and logical access restrictions associated with making changes to the system configuration. Doing so creates a base policy that helps ensure "only qualified and authorized individuals [can] access information systems for purposes of initiating changes, including upgrades and modifications."
Additional resources:
CM-5 (1) Access restrictions for change: Automated access enforcement and audit records
This control enhancement recommends the system allow for the configuration and automated enforcement of access restrictions, as well as the creation of audit records for the associated enforcement actions.
Additional resources:
CM-6 Configuration settings
This control recommends the organization develop and implement a complete set of configuration settings for the hardware, software, and firmware that make up the information system. Those settings should ultimately reflect restrictions consistent with operational requirements and organizational policy. Additionally, the organization should perform change control on the settings, such that suggested deviations are not detrimental to the system and overall cybersecurity goals.
Additional resources:
- NIST's National Checklist Program Repository
- NIST Special Publications 800-70, Rev. 4
- NIST Special Publications 800-128
- No LIMSpec comp (organizational policy rather than system specification)
CM-7 Least functionality
This control recommends the organization configure the system to apply the principle of "least functionality." As Georgetown University describes it, "[t]he principle of least functionality provides that information systems are configured to provide only essential capabilities and to prohibit or restrict the use of non-essential functions, such as ports, protocols, and/or services that are not integral to the operation of that information system."[1] NIST also notes that organizations can "employ network scanning tools, intrusion detection and prevention systems, and end-point protection technologies, such as firewalls and host-based intrusion detection systems, to identify and prevent the use of prohibited functions, protocols, ports, and services."
Additional resources:
CM-8 System component inventory
This control recommends the organization develop and document a complete inventory of the various components within the authorization boundary of the system. That inventory should accurately portray the current system, have sufficient detail for accountability, and be detailed at a granular enough level for convenient tracking and reporting. The organization should also review and update the inventory in a defined frequency.
Additional resources:
- NIST Special Publications 800-128
- No LIMSpec comp (organizational policy rather than system specification)
CM-10 Software usage restrictions
This control recommends the organization make an effort to track the use of software and associated documentation to ensure both are being used legally and within contract agreements. The organization should also control against and document instances of software or documentation being copied, distributed, or used in an unauthorized fashion.
Additional resources:
- No LIMSpec comp (organizational policy rather than system specification)
CM-11 User-installed software
This control recommends the organization develop, document, and enforce policies governing if and when users may install software within the system. This includes monitoring for policy compliance at a defined frequency. Enforcement may be procedural, automated, or both.
Additional resources:
- No LIMSpec comp (organizational policy rather than system specification)
- ↑ "UIS.203.7 Least Functionality Guidelines". UIS.203 Configuration Management Policy. University Information Security Office, Georgetown University. https://security.georgetown.edu/config-mgt-policy/least-functionality-guidelines/. Retrieved 21 March 2023.
