CM-6—Configuration Settings
>Control Description
Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using ⚙organization-defined common secure configurations;
Implement the configuration settings;
Identify, document, and approve any deviations from established configuration settings for ⚙organization-defined system components based on ⚙organization-defined operational requirements; and
Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
>DoD Impact Level Requirements
Additional Requirements and Guidance
CM-6 (a) Requirement 1: The service provider shall use the DoD STIGs to establish configuration settings; Center for Internet Security up to Level 2 (CIS Level 2) guidelines shall be used if STIGs are not available; Custom baselines shall be used if CIS is not available. CM-6 (a) Requirement 2: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available). CM-6 Guidance: Compliance checks are used to evaluate configuration settings and provide general insight into the overall effectiveness of configuration management activities. CSPs and 3PAOs typically combine compliance check findings into a single CM-6 finding, which is acceptable. However, for initial assessments, annual assessments, and significant change requests, FedRAMP requires a clear understanding, on a per-control basis, where risks exist. Therefore, 3PAOs must also analyze compliance check findings as part of the controls assessment. Where a direct mapping exists, the 3PAO must document additional findings per control in the corresponding SAR Risk Exposure Table (RET), which are then documented in the CSP's Plan of Action and Milestones (POA&M). This will likely result in the details of individual control findings overlapping with those in the combined CM-6 finding, which is acceptable. During monthly continuous monitoring, new findings from CSP compliance checks may be combined into a single CM-6 POA&M item. CSPs are not required to map the findings to specific controls because controls are only assessed during initial assessments, annual assessments, and significant change requests.
>Discussion
Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections.
Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems.
The established settings become part of the configuration baseline for the system. Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.
Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline USGCB and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.
>Programmatic Queries
Related Services
CLI Commands
aws configservice describe-conformance-packsaws securityhub get-enabled-standardsaws configservice describe-compliance-by-config-ruleaws ssm list-associations>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of CM-6 (Configuration Settings)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring CM-6?
- •How frequently is the CM-6 policy reviewed and updated, and what triggers policy changes?
- •What training or awareness programs ensure personnel understand their responsibilities related to CM-6?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce CM-6 requirements.
- •What automated tools, systems, or technologies are deployed to implement CM-6?
- •How is CM-6 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce CM-6 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of CM-6?
- •What audit logs, records, reports, or monitoring data validate CM-6 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of CM-6 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate CM-6 compliance?
Ask AI
Configure your API key to use AI features.