Control statement
Develop, document, and implement a configuration management plan for the system that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
c. Defines the configuration items for the system and places the configuration items under configuration management;
d. Is reviewed and approved by {{ insert: param, cm-09_odp }} ; and
e. Protects the configuration management plan from unauthorized disclosure and modification.
Guidance: FedRAMP does not provide a template for the Configuration Management Plan. However, NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, provides guidelines for the implementation of CM controls as well as a sample CMP outline in Appendix D of the Guide Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is
preserved in the catalog database.
Covered by these Key Security Indicators
| KSI | Title | Category |
|---|---|---|
| KSI-CMT-04 | Change Management Procedures _Persistently_ review the effectiveness of documented change management procedures. | Change Management |
| KSI-IAM-04 | Just-in-Time Authorization Use a least-privileged, role and attribute-based, and just-in-time security authorization model for all user and non-user accounts and services. | Identity and Access Management |
| KSI-IAM-05 | Least Privilege _Persistently_ ensure that identity and access management employs measures to ensure each user or device can only access the resources they need. | Identity and Access Management |