>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CM-2(2)Baseline Configuration | Automation Support for Accuracy and Currency

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using organization-defined automated mechanisms.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Automated mechanisms that help organizations maintain consistent baseline configurations for systems include configuration management tools, hardware, software, firmware inventory tools, and network management tools. Automated tools can be used at the organization level, mission and business process level, or system level on workstations, servers, notebook computers, network components, or mobile devices. Tools can be used to track version numbers on operating systems, applications, types of software installed, and current patch levels.

Automation support for accuracy and currency can be satisfied by the implementation of CM-8(2) for organizations that combine system component inventory and baseline configuration activities.

>Programmatic Queries

Beta

Related Services

AWS Config
AWS Systems Manager

CLI Commands

List Config rules for baseline compliance
aws configservice describe-config-rules --region us-east-1
Check Config conformance packs
aws configservice describe-conformance-packs --region us-east-1
Get SSM automation executions
aws ssm describe-automation-executions --region us-east-1
List SSM documents for configuration automation
aws ssm list-documents --document-filter-list key=DocumentType,value=Automation --region us-east-1
Open AWS ConsoleDocumentation

>Related Controls

CM-7
IA-3
RA-5

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CM-2(2) (Automation Support For Accuracy And Currency)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CM-2(2)?
  • How frequently is the CM-2(2) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CM-2(2)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CM-2(2) requirements.
  • What automated tools, systems, or technologies are deployed to implement CM-2(2)?
  • How is CM-2(2) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CM-2(2) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CM-2(2)?
  • What audit logs, records, reports, or monitoring data validate CM-2(2) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CM-2(2) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CM-2(2) compliance?

Ask AI

Configure your API key to use AI features.