myctrl.tools
Compare

CM-2(6)Development And Test Environments

>Control Description

Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.

>Cross-Framework Mappings

SCF

CFG-02.4
Compare

>Supplemental Guidance

Establishing separate baseline configurations for development, testing, and operational environments protects systems from unplanned or unexpected events related to development and testing activities. Separate baseline configurations allow organizations to apply the configuration management that is most appropriate for each type of configuration. For example, the management of operational configurations typically emphasizes the need for stability, while the management of development or test configurations requires greater flexibility.

Configurations in the test environment mirror configurations in the operational environment to the extent practicable so that the results of the testing are representative of the proposed changes to the operational systems. Separate baseline configurations do not necessarily require separate physical environments.

>Related Controls

CM-4
SC-3
SC-7

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CM-2(6) (Development And Test Environments)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CM-2(6)?
  • How frequently is the CM-2(6) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CM-2(6)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CM-2(6) requirements.
  • What automated tools, systems, or technologies are deployed to implement CM-2(6)?
  • How is CM-2(6) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CM-2(6) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CM-2(6)?
  • What audit logs, records, reports, or monitoring data validate CM-2(6) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CM-2(6) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CM-2(6) compliance?

Ask AI

Configure your API key to use AI features.