4.9 KiB
| implementation-status | control-origination | |||||
|---|---|---|---|---|---|---|
|
|
cm-9 - [catalog] Configuration Management Plan
Control Statement
Develop, document, and implement a configuration management plan for the system that:
-
[a] Addresses roles, responsibilities, and configuration management processes and procedures;
-
[b] Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
-
[c] Defines the configuration items for the system and places the configuration items under configuration management;
-
[d] Is reviewed and approved by personnel or roles ; and
-
[e] Protects the configuration management plan from unauthorized disclosure and modification.
Control guidance
Configuration management activities occur throughout the system development life cycle. As such, there are developmental configuration management activities (e.g., the control of code and software libraries) and operational configuration management activities (e.g., control of installed components and how the components are configured). Configuration management plans satisfy the requirements in configuration management policies while being tailored to individual systems. Configuration management plans define processes and procedures for how configuration management is used to support system development life cycle activities.
Configuration management plans are generated during the development and acquisition stage of the system development life cycle. The plans describe how to advance changes through change management processes; update configuration settings and baselines; maintain component inventories; control development, test, and operational environments; and develop, release, and update key documents.
Organizations can employ templates to help ensure the consistent and timely development and implementation of configuration management plans. Templates can represent a configuration management plan for the organization with subsets of the plan implemented on a system by system basis. Configuration management approval processes include the designation of key stakeholders responsible for reviewing and approving proposed changes to systems, and personnel who conduct security and privacy impact analyses prior to the implementation of changes to the systems. Configuration items are the system components, such as the hardware, software, firmware, and documentation to be configuration-managed. As systems continue through the system development life cycle, new configuration items may be identified, and some existing configuration items may no longer need to be under configuration control.
Control assessment-objective
a configuration management plan for the system is developed and documented; a configuration management plan for the system is implemented; the configuration management plan addresses roles; the configuration management plan addresses responsibilities; the configuration management plan addresses configuration management processes and procedures; the configuration management plan establishes a process for identifying configuration items throughout the system development life cycle; the configuration management plan establishes a process for managing the configuration of the configuration items; the configuration management plan defines the configuration items for the system; the configuration management plan places the configuration items under configuration management; the configuration management plan is reviewed and approved by personnel or roles; the configuration management plan is protected from unauthorized disclosure; the configuration management plan is protected from unauthorized modification.
What is the solution and how is it implemented?
Implementation a.
Add control implementation description here for item cm-9_smt.a
Implementation b.
Add control implementation description here for item cm-9_smt.b
Implementation c.
Add control implementation description here for item cm-9_smt.c
Implementation d.
Add control implementation description here for item cm-9_smt.d
Implementation e.
Add control implementation description here for item cm-9_smt.e