Unlock the full potential of your projects.
Show full map

CMMC v2.0 Configuration Management

Other
Tara Lemieux

Controls mapping and traceability diagram. Created by Tara Lemieux and Michael Redman, Schellman Compliance.

Get Started. It's Free
or sign up with your email address
Similar Mind Maps Mind Map Outline
CMMC v2.0 Configuration Management by Mind Map: CMMC v2.0 Configuration Management

1. CM.L2-3.4.9 Control and monitor user-installed software.

1.1. "Determine if:

1.2. (a) a policy for controlling the installation of software by users is established"

1.3. (b) installation of software by users is controlled based on the established policy

1.4. (c) installation of software by users is monitored."

2. CM.L2-3.4.4 Analyze the security impact of changes prior to implementation.

2.1. "Determine if:

2.2. (a) the security impact of changes to the system is analyzed prior to implementation."

3. CM.L2-3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.

3.1. "Determine if:

3.2. (a) essential system capabilities are defined based on the principle of least functionality"

3.3. (b) the system is configured to provide only the defined essential capabilities."

4. CM.L2-3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.

4.1. "Determine if:

4.2. (a) essential programs are defined"

4.3. (b) the use of nonessential programs is defined"

4.4. (c) the use of nonessential programs is restricted, disabled, or prevented as defined"

4.5. (d) essential functions are defined"

4.6. (d) the use of nonessential functions is defined"

4.7. (f) the use of nonessential functions is restricted, disabled, or prevented as defined"

4.8. (g) essential ports are defined"

4.9. (h) the use of nonessential ports is defined"

4.10. (i) the use of nonessential ports is restricted, disabled, or prevented as defined"

4.11. (j) essential protocols are defined"

4.12. (k) the use of nonessential protocols is defined"

4.13. (l) the use of nonessential protocols is restricted, disabled, or prevented as defined"

4.14. (m) essential services are defined"

4.15. (n) the use of nonessential services is defined"

4.16. (o) the use of nonessential services is restricted, disabled, or prevented as defined."

5. CM.L2-3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

5.1. "Determine if:

5.2. (a) a baseline configuration is established"

5.3. (b) the baseline configuration includes hardware, software, firmware, and documentation"

5.4. (c) the baseline configuration is maintained (reviewed and updated) throughout the system development life cycle"

5.5. (d) a system inventory is established"

5.6. (e) the system inventory includes hardware, software, firmware, and documentation"

5.7. (f) the inventory is maintained (reviewed and updated) throughout the system development life cycle."

6. CM.L2-3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems.

6.1. "Determine if:

6.2. (a) security configuration settings for information technology products employed in the system are established and included in the baseline configuration"

6.3. (b) security configuration settings for information technology products employed in the system are enforced.

7. CM.L2-3.4.3 Track, review, approve or disapprove, and log changes to organizational systems.

7.1. "Determine if:

7.2. (a) changes to the system are tracked"

7.3. (b) changes to the system are reviewed"

7.4. (c) changes to the system are approved or disapproved"

7.5. (d) changes to the system are logged."

8. CM.L2-3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

8.1. "Determine if:

8.2. (a) physical access restrictions associated with changes to the system are defined"

8.3. (b) physical access restrictions associated with changes to the system are documented"

8.4. (c) physical access restrictions associated with changes to the system are approved"

8.5. (d) physical access restrictions associated with changes to the system are enforced"

8.6. (e) the use of nonessential functions is defined"

8.7. (f) the use of nonessential functions is restricted, disabled, or prevented as defined"

8.8. (g) essential ports are defined"

8.9. (h) the use of nonessential ports is defined"

8.10. (i) the use of nonessential ports is restricted, disabled, or prevented as defined"

8.11. (j) essential protocols are defined"

8.12. (k) the use of nonessential protocols is defined"

8.13. (l) the use of nonessential protocols is restricted, disabled, or prevented as defined"

8.14. (m) essential services are defined"

8.15. (n) the use of nonessential services is defined"

8.16. (o) the use of nonessential services is restricted, disabled, or prevented as defined."

9. CM.L2-3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

9.1. "Determine if:

9.2. (a) a policy specifying whether whitelisting or blacklisting is to be implemented is specified"

9.3. (b) the software allowed to execute under whitelisting or denied use under blacklisting is specified"

9.4. (c) whitelisting to allow the execution of authorized software or blacklisting to prevent the use of unauthorized software is implemented as specified."