← All Domains

CM — Configuration Management

Stokes Frederick Co

SPRS Score: -131

Objective Progress 0 / 44 (0.0%)
CMMC Practices MET 0 / 9
Domain Score Impact -33

CMMC scoring changes when all assessment objectives for a practice are MET; objective progress updates as each objective is assessed.

CM.L2-3.4.1 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.4.1[a] = Not Yet Assessed; 3.4.1[b] = Not Yet Assessed; 3.4.1[c] = Not Yet Assessed; 3.4.1[d] = Not Yet Assessed; 3.4.1[e] = Not Yet Assessed; 3.4.1[f] = Not Yet Assessed

Assessment Objectives (6)

  • 3.4.1[a]
    Determine if: a baseline configuration is established.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.1[b]
    Determine if: the baseline configuration includes hardware, software, firmware, and documentation.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.1[c]
    Determine if: the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.1[d]
    Determine if: a system inventory is established.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.1[e]
    Determine if: the system inventory includes hardware, software, firmware, and documentation.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.1[f]
    Determine if: the inventory is maintained (reviewed and updated) throughout the system development life cycle.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Configuration management policy; procedures addressing the baseline configuration of the system; procedures addressing system inventory; security plan; configuration management plan; system inventory records; inventory review and update records; enterprise architecture documentation; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; change control records; system component installation records; system component removal records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with configuration management responsibilities; personnel with responsibilities for establishing the system inventory; personnel with responsibilities for updating the system inventory; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for managing baseline configurations; mechanisms supporting configuration control of the baseline configuration; organizational processes for developing and documenting an inventory of system components; organizational processes for updating inventory of system components; mechanisms supporting or implementing the system inventory; mechanisms implementing updating of the system inventory].
CM.L2-3.4.2 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Establish and enforce security configuration settings for information technology products employed in organizational systems.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.4.2[a] = Not Yet Assessed; 3.4.2[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.4.2[a]
    Determine if: security configuration settings for information technology products employed in the system are established and included in the baseline configuration.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.2[b]
    Determine if: security configuration settings for information technology products employed in the system are enforced.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Configuration management policy; procedures addressing configuration settings for the system; configuration management plan; security plan; system design documentation; system configuration settings and associated documentation; security configuration checklists; evidence supporting approved deviations from established configuration settings; change control records; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with security configuration management responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for managing configuration settings; mechanisms that implement, monitor, and/or control system configuration settings; mechanisms that identify and/or document deviations from established configuration settings].
CM.L2-3.4.3 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Track, review, approve or disapprove, and log changes to organizational systems.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.4.3[a] = Not Yet Assessed; 3.4.3[b] = Not Yet Assessed; 3.4.3[c] = Not Yet Assessed; 3.4.3[d] = Not Yet Assessed

Assessment Objectives (4)

  • 3.4.3[a]
    Determine if: changes to the system are tracked.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.3[b]
    Determine if: changes to the system are reviewed.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.3[c]
    Determine if: changes to the system are approved or disapproved.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.3[d]
    Determine if: changes to the system are logged.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Configuration management policy; procedures addressing system configuration change control; configuration management plan; system architecture and configuration documentation; security plan; change control records; system audit logs and records; change control audit and review reports; agenda/minutes from configuration change control oversight meetings; other relevant documents or records].
Interview: [SELECT FROM: Personnel with configuration change control responsibilities; personnel with information security responsibilities; system or network administrators; members of change control board or similar].
Test: [SELECT FROM: Organizational processes for configuration change control; mechanisms that implement configuration change control].
CM.L2-3.4.4 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Analyze the security impact of changes prior to implementation.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.4.4 = Not Yet Assessed

Assessment Objectives (1)

  • 3.4.4
    Determine if: the security impact of changes to each organizational system is analyzed prior to implementation.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Configuration management policy; procedures addressing security impact analysis for changes to the system; configuration management plan; security impact analysis documentation; security plan; analysis tools and associated outputs; change control records; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibility for conducting security impact analysis; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for security impact analysis].
CM.L2-3.4.5 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.4.5[a] = Not Yet Assessed; 3.4.5[b] = Not Yet Assessed; 3.4.5[c] = Not Yet Assessed; 3.4.5[d] = Not Yet Assessed; 3.4.5[e] = Not Yet Assessed; 3.4.5[f] = Not Yet Assessed ; and 2 more

Assessment Objectives (8)

  • 3.4.5[a]
    Determine if: physical access restrictions associated with changes to the system are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.5[b]
    Determine if: physical access restrictions associated with changes to the system are documented.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.5[c]
    Determine if: physical access restrictions associated with changes to the system are approved.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.5[d]
    Determine if: physical access restrictions associated with changes to the system are enforced.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.5[e]
    Determine if: logical access restrictions associated with changes to the system are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.5[f]
    Determine if: logical access restrictions associated with changes to the system are documented.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.5[g]
    Determine if: logical access restrictions associated with changes to the system are approved.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.5[h]
    Determine if: logical access restrictions associated with changes to the system are enforced.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Configuration management policy; procedures addressing access restrictions for changes to the system; security plan; configuration management plan; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; logical access approvals; physical access approvals; access credentials; change control records; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with logical access control responsibilities; personnel with physical access control responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for managing access restrictions associated with changes to the system; mechanisms supporting, implementing, and enforcing access restrictions associated with changes to the system].
CM.L2-3.4.6 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.4.6[a] = Not Yet Assessed; 3.4.6[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.4.6[a]
    Determine if: essential system capabilities are defined based on the principle of least functionality.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.6[b]
    Determine if: the system is configured to provide only the defined essential capabilities.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Configuration management policy; configuration management plan; procedures addressing least functionality in the system; security plan; system design documentation; system configuration settings and associated documentation; security configuration checklists; other relevant documents or records].
Interview: [SELECT FROM: Personnel with security configuration management responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes prohibiting or restricting functions, ports, protocols, or services; mechanisms implementing restrictions or prohibition of functions, ports, protocols, or services].
CM.L2-3.4.7 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.4.7[a] = Not Yet Assessed; 3.4.7[b] = Not Yet Assessed; 3.4.7[c] = Not Yet Assessed; 3.4.7[d] = Not Yet Assessed; 3.4.7[e] = Not Yet Assessed; 3.4.7[f] = Not Yet Assessed ; and 9 more

Assessment Objectives (15)

  • 3.4.7[a]
    Determine if: essential programs are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.7[b]
    Determine if: the use of nonessential programs is defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.7[c]
    Determine if: the use of nonessential programs is restricted, disabled, or prevented as defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.7[d]
    Determine if: essential functions are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.7[e]
    Determine if: the use of nonessential functions is defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.7[f]
    Determine if: the use of nonessential functions is restricted, disabled, or prevented as defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.7[g]
    Determine if: essential ports are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.7[h]
    Determine if: the use of nonessential ports is defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.7[i]
    Determine if: the use of nonessential ports is restricted, disabled, or prevented as defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.7[j]
    Determine if: essential protocols are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.7[k]
    Determine if: the use of nonessential protocols is defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.7[l]
    Determine if: the use of nonessential protocols is restricted, disabled, or prevented as defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.7[m]
    Determine if: essential services are defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.7[n]
    Determine if: the use of nonessential services is defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.7[o]
    Determine if: the use of nonessential services is restricted, disabled, or prevented as defined.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; configuration management plan; security plan; system design documentation; system configuration settings and associated documentation; specifications for preventing software program execution; security configuration checklists; documented reviews of programs, functions, ports, protocols, and/or services; change control records; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for reviewing programs, functions, ports, protocols, and services on the system; personnel with information security responsibilities; system or network administrators; system developers].
Test: [SELECT FROM: Organizational processes for reviewing and disabling nonessential programs, functions, ports, protocols, or services; mechanisms implementing review and handling of nonessential programs, functions, ports, protocols, or services; organizational processes preventing program execution on the system; organizational processes for software program usage and restrictions; mechanisms supporting or implementing software program usage and restrictions; mechanisms preventing program execution on the system].
CM.L2-3.4.8 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.4.8[a] = Not Yet Assessed; 3.4.8[b] = Not Yet Assessed; 3.4.8[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.4.8[a]
    Determine if: a policy specifying whether whitelisting or blacklisting is to be implemented is specified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.8[b]
    Determine if: the software allowed to execute under whitelisting or denied use under blacklisting is specified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.8[c]
    Determine if: whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Configuration management policy; procedures addressing least functionality in the system; security plan; configuration management plan; system design documentation; system configuration settings and associated documentation; list of software programs not authorized to execute on the system; list of software programs authorized to execute on the system; security configuration checklists; review and update records associated with list of authorized or unauthorized software programs; change control records; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for identifying software authorized or not authorized to execute on the system; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational process for identifying, reviewing, and updating programs authorized or not authorized to execute on the system; process for implementing blacklisting or whitelisting; mechanisms supporting or implementing blacklisting or whitelisting].
CM.L2-3.4.9 DoD Weight: 1 Deduction: -1 Basic
Not Yet Assessed
Requirement: Control and monitor user-installed software.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.4.9[a] = Not Yet Assessed; 3.4.9[b] = Not Yet Assessed; 3.4.9[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.4.9[a]
    Determine if: a policy for controlling the installation of software by users is established.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.9[b]
    Determine if: installation of software by users is controlled based on the established policy.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.4.9[c]
    Determine if: installation of software by users is monitored.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Configuration management policy; procedures addressing user installed software; configuration management plan; security plan; system design documentation; system configuration settings and associated documentation; list of rules governing user-installed software; system monitoring records; system audit logs and records; continuous monitoring strategy; other relevant documents or records].
Interview: [SELECT FROM: Personnel with responsibilities for governing user-installed software; personnel operating, using, or maintaining the system; personnel monitoring compliance with user-installed software policy; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes governing user-installed software on the system; mechanisms enforcing rules or methods for governing the installation of software by users; mechanisms monitoring policy compliance].