800-53|CM-3

Title

CONFIGURATION CHANGE CONTROL

Description

The organization:

Supplemental

Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.

Reference Item Details

Related: CA-7,CM-2,CM-4,CM-5,CM-6,CM-9,SA-10,SI-12,SI-2

Category: CONFIGURATION MANAGEMENT

Family: CONFIGURATION MANAGEMENT

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.3.7 Set 'Do not apply during periodic background processing' to 'Enabled:FALSE'WindowsCIS Windows 8 L1 v1.0.0
1.2.3.8 Set 'Process even if the Group Policy objects have not changed' to 'Enabled:TRUE'WindowsCIS Windows 8 L1 v1.0.0
1.3.1 Ensure AIDE is installedUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3.2 Ensure filesystem integrity is regularly checked - aideUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3.2 Ensure filesystem integrity is regularly checked - cronUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3.2 Ensure filesystem integrity is regularly checked - mailUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to trueUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.3.7 Ensure that the RotateKubeletServerCertificate argument is set to trueUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.4.5.1 Ensure 'aaa accounting command' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.0.0
1.4.5.1 Ensure 'aaa command accounting' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.5.1 Ensure 'aaa command accounting' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.5.2 Ensure 'aaa accounting for SSH' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.5.2 Ensure 'aaa accounting for SSH' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.0.0
1.4.5.2 Ensure 'aaa accounting for SSH' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.5.3 Ensure 'aaa accounting for Serial console' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.5.3 Ensure 'aaa accounting for Serial console' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.0.0
1.4.5.3 Ensure 'aaa accounting for Serial console' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.5.4 Ensure 'aaa accounting for EXEC mode' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.5.4 Ensure 'aaa accounting for EXEC mode' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.5.4 Ensure 'aaa accounting for EXEC mode' is configured correctlyCiscoCIS Cisco ASA 9.x Firewall L1 v1.0.0
2.1.13 Ensure that the --rotate-certificates argument is not set to falseUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
2.5 Ensure Non-Default, Unique Cryptographic Material is in UseUnixCIS MySQL 5.7 Community Linux OS L1 v2.0.0
2.5 Ensure Non-Default, Unique Cryptographic Material is in UseUnixCIS MySQL 5.7 Enterprise Linux OS L1 v2.0.0
2.6 Ensure Non-Default, Unique Cryptographic Material is in UseUnixCIS MySQL 8.0 Enterprise Linux OS L1 v1.3.0
2.6 Ensure Non-Default, Unique Cryptographic Material is in UseUnixCIS MySQL 8.0 Community Linux OS L1 v1.0.0
3.15 Ensure Accept Domain Name over TCP (Zone Transfer) is not enabledCheckPointCIS Check Point Firewall L2 v1.1.0
3.16 Ensure Accept Domain Name over UDP (Queries) is not enabledCheckPointCIS Check Point Firewall L2 v1.1.0
3.18 Ensure Allow bi-directional NAT is enabledCheckPointCIS Check Point Firewall L2 v1.1.0
3.19 Ensure Automatic ARP Configuration NAT is enabledCheckPointCIS Check Point Firewall L2 v1.1.0
4.1 Configure Local Configuration Backup ScheduleCiscoCIS Cisco NX-OS L1 v1.0.0
4.2 Configure a Remote Backup ScheduleCiscoCIS Cisco NX-OS L1 v1.0.0
4.3 Configure Alerts on all Configuration ChangesCiscoCIS Cisco NX-OS L2 v1.0.0
4.16 Ensure AWS Security Hub is enabledamazon_awsCIS Amazon Web Services Foundations L2 2.0.0
9.1.4 (L1) Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.1.4 Ensure 'Windows Firewall: Domain: Settings: Display a notification' is set to 'No'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
9.2.4 (L1) Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.2.4 Ensure 'Windows Firewall: Private: Settings: Display a notification' is set to 'No'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
9.3.4 (L1) Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.3.4 Ensure 'Windows Firewall: Public: Settings: Display a notification' is set to 'No'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
9.3.5 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.3.5 Ensure 'Windows Firewall: Public: Settings: Apply local firewall rules' is set to 'No'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
9.3.6 (L1) Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
9.3.6 Ensure 'Windows Firewall: Public: Settings: Apply local connection security rules' is set to 'No'WindowsCIS Microsoft Windows 8.1 v2.4.1 L1
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.8.21.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.8.21.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.8.21.4 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.8.21.4 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
Big Sur - Configure the System to Notify upon Baseline Configuration ChangesUnixNIST macOS Big Sur v1.4.0 - All Profiles