CM-6 Configuration Settings (L) (M) (H)

NIST 800-53 (r4) Control:

The organization:

 a. Establishes and documents configuration settings for information technology products employed within the information system using [FedRAMP Assignment: (L)(M)(H) United States Government Configuration Baseline (USGCB)] that reflect the most restrictive mode consistent with operational requirements;

 b. Implements the configuration settings;

 c. Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and

 d. Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

CM-6 (a) Additional FedRAMP Requirements and Guidance: The service provider shall use the Center for Internet Security guidelines (Level 1) to establish configuration settings or establishes its own configuration settings if USGCB is not available.

CM-6 (a) Additional FedRAMP Requirements and Guidance: The service provider shall ensure that checklists for configuration settings are Security Content Automation Protocol (SCAP) validated or SCAP compatible (if validated checklists are not available).

CM-6 (a) Additional FedRAMP Requirements and Guidance : Information on the USGCB checklists can be found at: http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc

NIST 800-53 (r4) Supplemental Guidance:

Configuration settings are the set of parameters that can be changed in hardware, software, or firmware components of the information system that affect the security posture and/or functionality of the system. Information technology products for which security- related configuration settings can be defined include, for example, mainframe computers, servers (e.g., database, electronic mail, authentication, web, proxy, file, domain name), workstations, input/output devices (e.g., scanners, copiers, and printers), network components (e.g., firewalls, routers, gateways, voice and data switches, wireless access points, network appliances, sensors), operating systems, middleware, and applications. Security-related parameters are those parameters impacting the security state of information systems including the parameters required to satisfy other security control requirements. Security-related parameters include, for example: (i) registry settings; (ii) account, file, directory permission settings; and (iii) settings for functions, ports, protocols, services, and remote connections. Organizations establish organization-wide configuration settings and subsequently derive specific settings for information systems. The established settings become part of the systems configuration baseline.

Common secure configurations (also referred to as security configuration checklists, lockdown

and hardening guides, security reference guides, security technical implementation guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for specific information technology platforms/products and instructions for configuring those information system components to meet operational requirements. Common secure configurations can be developed by a variety of organizations including, for example, information technology product developers, manufacturers, vendors, consortia, academia, industry, federal agencies, and other organizations in the public and private sectors. Common secure configurations include the United States Government Configuration Baseline (USGCB) which affects the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol (e.g., Common Configuration Enumeration) provide an effective method to uniquely identify, track, and control configuration settings. OMB establishes federal policy on configuration requirements for federal information systems. Related controls: AC-19, CM-2, CM-3, CM-7, SI-4.

References: OMB Memoranda 07-11, 07-18, 08-22; NIST Special Publications 800-70, 800-128; Web: http://nvd.nist.gov, http://checklists.nist.gov, http://www.nsa.gov.

NIST 800-53 (r5) Discussion:

Configuration settings are the parameters that can be changed in the hardware, software, or firmware components of the system that affect the security and privacy posture or functionality of the system. Information technology products for which configuration settings can be defined include mainframe computers, servers, workstations, operating systems, mobile devices, input/output devices, protocols, and applications. Parameters that impact the security posture of systems include registry settings; account, file, or directory permission settings; and settings for functions, protocols, ports, services, and remote connections. Privacy parameters are parameters impacting the privacy posture of systems, including the parameters required to satisfy other privacy controls. Privacy parameters include settings for access controls, data processing preferences, and processing and retention permissions. Organizations establish organization-wide configuration settings and subsequently derive specific configuration settings for systems. The established settings become part of the configuration baseline for the system.

Common secure configurations (also known as security configuration checklists, lockdown and hardening guides, and security reference guides) provide recognized, standardized, and established benchmarks that stipulate secure configuration settings for information technology products and platforms as well as instructions for configuring those products or platforms to meet operational requirements. Common secure configurations can be developed by a variety of organizations, including information technology product developers, manufacturers, vendors, federal agencies, consortia, academia, industry, and other organizations in the public and private sectors.

Implementation of a common secure configuration may be mandated at the organization level, mission and business process level, system level, or at a higher level, including by a regulatory agency. Common secure configurations include the United States Government Configuration Baseline USGCB and security technical implementation guides (STIGs), which affect the implementation of CM-6 and other controls such as AC-19 and CM-7. The Security Content Automation Protocol (SCAP) and the defined standards within the protocol provide an effective method to uniquely identify, track, and control configuration settings.

38North Guidance:

Meets Minimum Requirement:

• Use Center for Internet Security (CIS) (https://www.cisecurity.org/) and/or DISA STIG guidelines to establish and document configuration settings for the information technology products employed.  If no recognized configuration checklist is available for the technology in use, the CSP must create their own baseline and include a justification statement as to how they came up with the baseline configuration settings.  

• Implement the configuration settings established/documented in CM-6 (a).  Perform security configuration compliance scanning against hardening guides such as CIS Benchmarks and/or DISA STIGs.  

• Identify, document, and approve deviations/exceptions from the mandatory configuration settings based on explicit operational requirements, vendor dependencies, and information security best practices.

• Monitor and control changes to the configuration settings in accordance with organizational policies and procedures via security configuration compliance scanning processes and tools.

Best Practice:

• CISA Kubernetes Hardening Guide: https://www.cisa.gov/uscert/ncas/current-activity/2022/03/15/updated-kubernetes-hardening-guide

• While FedRAMP High will allow for CIS hardened infrastructure, IL4/5/6 requires DISA STIGs. If a CSP has IL5 on its roadmap, it is highly recommended to pursue DISA STIGs where possible to minimize the amount of rework required in the future. The following benchmarks should be used in the order listed if a particular benchmark does not apply.

  1. 1. 1. STIGs

        2. Security Requirement Guides (SRGs)

        3. CIS Benchmarks

        4. OEM Recommendations

        5. Industry Best Practices

        6. Vendor best practices

        7. CSP-defined

Unofficial FedRAMP Guidance: 

• The latest software version should be used in the absence of a recent hardening benchmark. For example, if the latest software component version is v5.0, but the latest CIS benchmark is for v3.6, install the software component version v5.0 and not v3.6. If not, you run the risk of vulnerabilities being present on the older software with the only remediation being to upgrade to the newer version. The outdated benchmark can still be used as a hardening checklist against the latest software version. Additional hardening can be applied based on other security best practices (whitepapers, etc.) until a newer benchmark is published.

Assessment Evidence:

• Security configuration checklists in use

• Compliance scan reports for infrastructure, platform and application workloads.  Scan reports must include all checks executed and status (pass or fail). 

• Evidence of review and analysis of compliance scan reports for infrastructure, platform and application workloads. 

• Documented approvals for deviations from the mandatory configuration settings for information system components. 

CSP Implementation Tips: 

• Amazon Web Services (AWS): TBD

• Microsoft Azure: TBD

• Google Cloud Platform: TBD