Detections
Analytics

800-53|CM-3

Title

CONFIGURATION CHANGE CONTROL

Description

The organization:

Supplemental

Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.

Reference Item Details

Related: CA-7,CM-2,CM-4,CM-5,CM-6,CM-9,SA-10,SI-12,SI-2

Category: CONFIGURATION MANAGEMENT

Family: CONFIGURATION MANAGEMENT

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.2.3.7 Set 'Do not apply during periodic background processing' to 'Enabled:FALSE'WindowsCIS Windows 8 L1 v1.0.0
1.2.3.8 Set 'Process even if the Group Policy objects have not changed' to 'Enabled:TRUE'WindowsCIS Windows 8 L1 v1.0.0
1.3.1 Ensure AIDE is installedUnixCIS Amazon Linux 2 STIG v2.0.0 L1 Server
1.3.1 Ensure AIDE is installedUnixCIS Amazon Linux 2 STIG v2.0.0 L1 Workstation
1.3.1 Ensure AIDE is installedUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3.1 Ensure AIDE is installedUnixCIS Amazon Linux 2 STIG v2.0.0 STIG
1.3.2 Ensure filesystem integrity is regularly checkedUnixCIS Amazon Linux 2 STIG v2.0.0 STIG
1.3.2 Ensure filesystem integrity is regularly checkedUnixCIS Amazon Linux 2 STIG v2.0.0 L1 Server
1.3.2 Ensure filesystem integrity is regularly checkedUnixCIS Amazon Linux 2 STIG v2.0.0 L1 Workstation
1.3.2 Ensure filesystem integrity is regularly checked - aideUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3.2 Ensure filesystem integrity is regularly checked - cronUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3.2 Ensure filesystem integrity is regularly checked - mailUnixCIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3.6 Ensure that the RotateKubeletServerCertificate argument is set to trueUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
1.3.7 Ensure that the RotateKubeletServerCertificate argument is set to trueUnixCIS Kubernetes 1.8 Benchmark v1.2.0 L1
1.4.5.1 Ensure 'aaa command accounting' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.5.1 Ensure 'aaa command accounting' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.5.2 Ensure 'aaa accounting for SSH' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.5.2 Ensure 'aaa accounting for SSH' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.5.3 Ensure 'aaa accounting for Serial console' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.5.3 Ensure 'aaa accounting for Serial console' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.4.5.4 Ensure 'aaa accounting for EXEC mode' is configured correctlyCiscoCIS Cisco Firewall ASA 9 L1 v4.1.0
1.4.5.4 Ensure 'aaa accounting for EXEC mode' is configured correctlyCiscoCIS Cisco Firewall v8.x L1 v4.2.0
1.9 UBTU-24-100130UnixCIS Ubuntu Linux 24.04 LTS STIG v1.0.0 CAT II
1.11 Ensure the mailx package is installedUnixCIS Red Hat Enterprise Linux 8 STIG v2.0.0 STIG
1.22 WN16-00-000240WindowsCIS Microsoft Windows Server 2016 STIG v4.0.0 DC CAT II
1.22 WN16-00-000240WindowsCIS Microsoft Windows Server 2016 STIG v4.0.0 MS CAT II
1.22 WN19-00-000220WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 MS CAT II
1.22 WN19-00-000220WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT II
1.22 WN22-00-000220WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.22 WN22-00-000220WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 MS CAT II
1.55 OL08-00-010358UnixCIS Oracle Linux 8 STIG v1.0.0 CAT II
1.57 OL08-00-010360UnixCIS Oracle Linux 8 STIG v1.0.0 CAT II
1.66 RHEL-09-215095UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.106 WN16-CC-000150WindowsCIS Microsoft Windows Server 2016 STIG v4.0.0 MS CAT II
1.106 WN16-CC-000150WindowsCIS Microsoft Windows Server 2016 STIG v4.0.0 DC CAT II
1.107 WN19-CC-000140WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 DC CAT II
1.107 WN19-CC-000140WindowsCIS Microsoft Windows Server 2019 STIG v4.0.0 MS CAT II
1.107 WN22-CC-000140WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 MS CAT II
1.107 WN22-CC-000140WindowsCIS Microsoft Windows Server 2022 STIG v3.0.0 DC CAT II
1.113 UBTU-22-651020UnixCIS Ubuntu Linux 22.04 LTS STIG v1.0.0 CAT II
1.122 WN10-CC-000090WindowsCIS Microsoft Windows 10 STIG v1.0.0 CAT II
1.351 RHEL-09-651010UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
1.352 RHEL-09-651015UnixCIS Red Hat Enterprise Linux 9 STIG v1.0.0 CAT II
2.1.13 Ensure that the --rotate-certificates argument is not set to falseUnixCIS Kubernetes 1.11 Benchmark v1.3.0 L1
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.8.21.2 Ensure 'Configure registry policy processing: Do not apply during periodic background processing' is set to 'Enabled: FALSE'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.8.21.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.8.21.3 Ensure 'Configure registry policy processing: Process even if the Group Policy objects have not changed' is set to 'Enabled: TRUE'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0
18.8.21.4 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 v3.2.0
18.8.21.4 Ensure 'Turn off background refresh of Group Policy' is set to 'Disabled'WindowsCIS Windows 7 Workstation Level 1 + Bitlocker v3.2.0