>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CM-2(7)Baseline Configuration | Configure Systems and Components for High-risk Areas

IL4 Mod
IL4 High
IL5
IL6

>Control Description

(a) Issue organization-defined systems or system components with organization-defined configurations to individuals traveling to locations that the organization deems to be of significant risk; and (b) Apply the following controls to the systems or components when the individuals return from travel: organization-defined controls.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

When it is known that systems or system components will be in high-risk areas external to the organization, additional controls may be implemented to counter the increased threat in such areas. For example, organizations can take actions for notebook computers used by individuals departing on and returning from travel. Actions include determining the locations that are of concern, defining the required configurations for the components, ensuring that components are configured as intended before travel is initiated, and applying controls to the components after travel is completed.

Specially configured notebook computers include computers with sanitized hard drives, limited applications, and more stringent configuration settings. Controls applied to mobile devices upon return from travel include examining the mobile device for signs of physical tampering and purging and reimaging disk drives. Protecting information that resides on mobile devices is addressed in the MP (Media Protection) family.

>Programmatic Queries

Beta

Related Services

AWS Config
AWS Security Hub

CLI Commands

Evaluate compliance for high-risk EC2 configurations
aws configservice describe-compliance-by-config-rule --region us-east-1
Get Security Hub findings for configuration issues
aws securityhub get-findings --filters '{"SeverityLabel": [{"Value": "CRITICAL", "Comparison": "EQUALS"}]}' --region us-east-1
Put Config rule for high-risk resource validation
aws configservice put-config-rule --config-rule file://high-risk-rule.json --region us-east-1
Open AWS ConsoleDocumentation

>Related Controls

MP-4
MP-5

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CM-2(7) (Configure Systems And Components For High-Risk Areas)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CM-2(7)?
  • How frequently is the CM-2(7) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CM-2(7)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CM-2(7) requirements.
  • What automated tools, systems, or technologies are deployed to implement CM-2(7)?
  • How is CM-2(7) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CM-2(7) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CM-2(7)?
  • What audit logs, records, reports, or monitoring data validate CM-2(7) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CM-2(7) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CM-2(7) compliance?

Ask AI

Configure your API key to use AI features.