Transcription
CMMCAssessmentCMMC Configuration ManagementWorksheetCONFIDENTIALITY NOTE: The information contained in this report documentis for the exclusive use of the client specified above and may containconfidential, privileged and non-disclosable information. If the recipient of thisreport is not the client or addressee, such recipient is strictly prohibited fromreading, photocopying, distributing or otherwise using this report or its contentsin any way.Prepared for:Client CompanyPrepared by:YourIT Company
CMMC Configuration Management WorksheetCMMC ASSESSMENTTable of Contents1 - C013 - Establish Configuration Baselines1.1 - Baseline Configuration - CMMC Ctrl: CM.2.061 - Establish and maintain baselineconfigurations and inventories of organizational systems (including hardware, software, firmware,and documentation) throughout the respective system development life cycles. (NIST 800-171Rev. 2 Ctrl Ref: 3.4.1)1.2 - Least Functionality - System Configuration - CMMC Ctrl: CM.2.062 - Employ the principle ofleast functionality by configuring organizational systems to provide only essential capabilities.(NIST 800-171 Rev. 2 Ctrl Ref: 3.4.6)1.3 - User-Installed Software - CMMC Ctrl: CM.2.063 - Control and monitor user-installed software.(NIST 800-171 Rev. 2 Ctrl Ref: 3.4.9)2 - C014 - Perform Configuration and Change Management2.1 - Baseline Security Settings - CMMC Ctrl: CM.2.064 - Establish and enforce securityconfiguration settings for information technology products employed in organizational systems.(NIST 800-171 Rev. 2 Ctrl Ref: 3.4.2)2.2 - Configuration Change Control - CMMC Ctrl: CM.2.065 - Track, review, approve, ordisapprove, and log changes to organizational systems. (NIST 800-171 Rev. 2 Ctrl Ref: 3.4.3)2.3 - Security Impact Analysis - CMMC Ctrl: CM.2.066 - Analyze the security impact of changesprior to implementation. (NIST 800-171 Rev. 2 Ctrl Ref: 3.4.4)2.4 - Access Restrictions for Change - CMMC Ctrl: CM.3.067 - Define, document, approve, andenforce physical and logical access restrictions associated with changes to organizational systems.(NIST 800-171 Rev. 2 Ctrl Ref: 3.4.5)2.5 - Least Functionality - Prevent program execution - CMMC Ctrl: CM.3.068 - Restrict, disable, orprevent the use of nonessential programs, functions, ports, protocols, and services. (NIST 800-171Rev. 2 Ctrl Ref: 3.4.7)2.6 - Application Blacklisting/Whitelisting - CMMC Ctrl: CM.3.069 - Apply deny-by-exception(blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception(whitelisting) policy to allow the execution of authorized software. (NIST 800-171 Rev. 2 Ctrl Ref:3.4.8)PROPRIETARY & CONFIDENTIALPage 2 of 6
CMMC Configuration Management WorksheetCMMC ASSESSMENT1 - C013 - Establish Configuration Baselines1.1 - Baseline Configuration - CMMC Ctrl: CM.2.061 - Establish and maintain baselineconfigurations and inventories of organizational systems (including hardware, software, firmware,and documentation) throughout the respective system development life cycles. (NIST 800-171Rev. 2 Ctrl Ref: 3.4.1)Are baseline configurations developed, documented, and maintained for each information system type?YesFollow-up to 1.1 if you answered Yes above- Describe the mechanism implemented to meet this control requirement.The organization has implemented the process, mechanism, and controls necessary to meet thissecurity requirement. 1) Reference the attached policies and procedures associated with thissecurity requirement. 2) See attached records illustrating that the policies and procedures havebeen institutionalized. 3) View the attached overview of the technical examination practices usedto verify that this security requirement is implemented. 4) See attached results of the last technicalexamination undertaken.1.2 - Least Functionality - System Configuration - CMMC Ctrl: CM.2.062 - Employ the principle ofleast functionality by configuring organizational systems to provide only essential capabilities.(NIST 800-171 Rev. 2 Ctrl Ref: 3.4.6)Does the company employ the principle of least functionality by configuring organizational systems to provide only essentialcapabilities?YesFollow-up to 1.2 if you answered Yes above- Describe the mechanism implemented to meet this control requirement.The organization has implemented the process, mechanism, and controls necessary to meet thissecurity requirement. 1) Reference the attached policies and procedures associated with thissecurity requirement. 2) See attached records illustrating that the policies and procedures havebeen institutionalized. 3) View the attached overview of the technical examination practices usedto verify that this security requirement is implemented. 4) See attached results of the last technicalexamination undertaken.1.3 - User-Installed Software - CMMC Ctrl: CM.2.063 - Control and monitor user-installed software.(NIST 800-171 Rev. 2 Ctrl Ref: 3.4.9)Are user controls in place to prohibit the installation of unauthorized software?YesFollow-up to 1.3 if you answered Yes above- Describe the mechanism implemented to meet this control requirement.The organization has implemented the process, mechanism, and controls necessary to meet thissecurity requirement. 1) Reference the attached policies and procedures associated with thissecurity requirement. 2) See attached records illustrating that the policies and procedures havePROPRIETARY & CONFIDENTIALPage 3 of 6
CMMC Configuration Management WorksheetCMMC ASSESSMENTbeen institutionalized. 3) View the attached overview of the technical examination practices usedto verify that this security requirement is implemented. 4) See attached results of the last technicalexamination undertaken.2 - C014 - Perform Configuration and Change Management2.1 - Baseline Security Settings - CMMC Ctrl: CM.2.064 - Establish and enforce securityconfiguration settings for information technology products employed in organizational systems.(NIST 800-171 Rev. 2 Ctrl Ref: 3.4.2)Does the company establish and enforce security configuration settings for organizational system components?YesFollow-up to 2.1 if you answered Yes above- Describe the mechanism implemented to meet this control requirement.The organization has implemented the process, mechanism, and controls necessary to meet thissecurity requirement. 1) Reference the attached policies and procedures associated with thissecurity requirement. 2) See attached records illustrating that the policies and procedures havebeen institutionalized. 3) View the attached overview of the technical examination practices usedto verify that this security requirement is implemented. 4) See attached results of the last technicalexamination undertaken.2.2 - Configuration Change Control - CMMC Ctrl: CM.2.065 - Track, review, approve, or disapprove,and log changes to organizational systems. (NIST 800-171 Rev. 2 Ctrl Ref: 3.4.3)Does the company employ processes and mechanisms to control changes to organizational systems?YesFollow-up to 2.2 if you answered Yes above- Describe the mechanism implemented to meet this control requirement.The organization has implemented the process, mechanism, and controls necessary to meet thissecurity requirement. 1) Reference the attached policies and procedures associated with thissecurity requirement. 2) See attached records illustrating that the policies and procedures havebeen institutionalized. 3) View the attached overview of the technical examination practices usedto verify that this security requirement is implemented. 4) See attached results of the last technicalexamination undertaken.2.3 - Security Impact Analysis - CMMC Ctrl: CM.2.066 - Analyze the security impact of changesprior to implementation. (NIST 800-171 Rev. 2 Ctrl Ref: 3.4.4)Does the company employ the practice of analyzing the security impact of changes prior to implementation?YesFollow-up to 2.3 if you answered Yes above- Describe the mechanism implemented to meet this control requirement.PROPRIETARY & CONFIDENTIALPage 4 of 6
CMMC Configuration Management WorksheetCMMC ASSESSMENTThe organization has implemented the process, mechanism, and controls necessary to meet thissecurity requirement. 1) Reference the attached policies and procedures associated with thissecurity requirement. 2) See attached records illustrating that the policies and procedures havebeen institutionalized. 3) View the attached overview of the technical examination practices usedto verify that this security requirement is implemented. 4) See attached results of the last technicalexamination undertaken.2.4 - Access Restrictions for Change - CMMC Ctrl: CM.3.067 - Define, document, approve, andenforce physical and logical access restrictions associated with changes to organizationalsystems. (NIST 800-171 Rev. 2 Ctrl Ref: 3.4.5)Does the company define, document, approve, and enforce physical and logical access restrictions associated withchanges to organizational systems?YesFollow-up to 2.4 if you answered Yes above- Describe the mechanism implemented to meet this control requirement.The organization has implemented the process, mechanism, and controls necessary to meet thissecurity requirement. 1) Reference the attached policies and procedures associated with thissecurity requirement. 2) See attached records illustrating that the policies and procedures havebeen institutionalized. 3) View the attached overview of the technical examination practices usedto verify that this security requirement is implemented. 4) See attached results of the last technicalexamination undertaken.2.5 - Least Functionality - Prevent program execution - CMMC Ctrl: CM.3.068 - Restrict, disable, orprevent the use of nonessential programs, functions, ports, protocols, and services. (NIST 800171 Rev. 2 Ctrl Ref: 3.4.7)Does the company restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services?YesFollow-up to 2.5 if you answered Yes above- Describe the mechanism implemented to meet this control requirement.The organization has made a security-based determination which functions, ports, protocols,and/or services are restricted. Bluetooth, File Transfer Protocol (FTP), and peer-to-peernetworking are examples of protocols organizations when consider the preventing the use of,restricting, or disabling.2.6 - Application Blacklisting/Whitelisting - CMMC Ctrl: CM.3.069 - Apply deny-by-exception(blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception(whitelisting) policy to allow the execution of authorized software. (NIST 800-171 Rev. 2 Ctrl Ref:3.4.8)Does the company employ an application deny-by-exception policy (blacklisting) or a deny-all, permit-by-exception policy(whitelisting) to allow the execution of authorized software?YesPROPRIETARY & CONFIDENTIALPage 5 of 6
CMMC Configuration Management WorksheetCMMC ASSESSMENTFollow-up to 2.6 if you answered Yes above- Describe the mechanism implemented to meet this control requirement.The organization has implemented the necessary processes, mechanisms, and controls toimplemented Blacklisting/Whitelisting. 1) Reference the attached policies and proceduresassociated with this security requirement. 2) See attached records illustrating that the policies andprocedures have been institutionalized. 3) View the attached overview of the technicalexamination practices used to verify that this control requirement is implemented. 4) See attachedresults of the last technical examination undertaken.PROPRIETARY & CONFIDENTIALPage 6 of 6
CMMC Configuration Management Worksheet . CMMC Configuration Management Worksheet . 1.3 - User-Installed Software - CMMC Ctrl: CM.2.063 - Control and monitor user-installed software. . The organization has implemented the process, mechanism, and controls necessary to meet this security requirement. 1) Reference the attached policies and .
