All Agency-owned information resources shall adopt Center for Internet Security (CIS) Benchmarks Level I standards as the configuration baseline whenever possible. Certain information resources may require an enhanced baseline, such as CIS Benchmarks Level II, USGCB, DISA STIG, etc. and shall be evaluated by the chief information security officer prior to implementation.
In situations where a configuration baseline does not exist, the resource’s factory defaults are considered the baseline and all changes to the baseline shall be documented and comprehensively tested against the Agency vulnerability scanner. Any unremediated vulnerabilities shall be documented with a justification and risk acceptance statement, and approved by the information resource owner. All information systems shall employ the principle of least functionality, with only essential capabilities enabled and all other functions, ports, protocols, and/or services disabled or restricted.
Risk Statement The change management process in place does not adequately protect the environment from disruptive changes in production.
Control Description The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and b. Reviews and updates the current: 1. Configuration management policy [Assignment: organization-defined frequency]; and 2. Configuration management procedures [Assignment: organization-defined frequency].
Control Example The organization has written, documented configuration management policies and procedures in place.
State Implementation The organization establishes the process for controlling modifications to hardware, software, firmware, and documentation to ensure the information resources are protected against improper modification before, during, and after system implementation.
Testing Procedures Obtain configuration management policy and procedures; other relevant documents or records and ascertain if: (I)the organization develops and documents configuration management policy and procedures. (ii)the organization disseminates configuration management policy and procedures to appropriate elements within the organization. (iii)responsible parties within the organization periodically review configuration management policy and procedures. (iv)the organization updates configuration management policy and procedures when organizational review indicates updates are required. (v)the configuration management policy addresses purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance; (vi)the configuration management policy is consistent with the organization’s mission and functions and with applicable laws, directives, policies, regulations, standards, and guidance; and (vii)the configuration management procedures address all areas identified in the configuration management policy and address achieving policy-compliant implementations of all associated configuration management controls.