Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
OSCAL
OSCAL Profiles
FedRAMP Rev 5 Moderate Baseline
CM
CM: Configuration Management
An OSCAL Group
Details
Subcontrols
27
CM-1 - Policy and Procedures
CM-2 - Baseline Configuration
3 Subcontrols
CM-2.2 - Automation Support for Accuracy and Currency
CM-2.3 - Retention of Previous Configurations
CM-2.7 - Configure Systems and Components for High-risk Areas
CM-3 - Configuration Change Control
2 Subcontrols
CM-3.2 - Testing, Validation, and Documentation of Changes
CM-3.4 - Security and Privacy Representatives
CM-4 - Impact Analyses
1 Subcontrol
CM-4.2 - Verification of Controls
CM-5 - Access Restrictions for Change
2 Subcontrols
CM-5.1 - Automated Access Enforcement and Audit Records
CM-5.5 - Privilege Limitation for Production and Operation
CM-6 - Configuration Settings
1 Subcontrol
CM-6.1 - Automated Management, Application, and Verification
CM-7 - Least Functionality
3 Subcontrols
CM-7.1 - Periodic Review
CM-7.2 - Prevent Program Execution
CM-7.5 - Authorized Software — Allow-by-exception
CM-8 - System Component Inventory
2 Subcontrols
CM-8.1 - Updates During Installation and Removal
CM-8.3 - Automated Unauthorized Component Detection
CM-9 - Configuration Management Plan
CM-10 - Software Usage Restrictions
CM-11 - User-installed Software
CM-12 - Information Location
1 Subcontrol
CM-12.1 - Automated Tools to Support Information Location