Practice CM.L3-3.4.1e Details

From CMMC Toolkit Wiki
Jump to navigation Jump to search

Source of Reference: The official CMMC Level 3 Assessment Guide from the Department of Defense Chief Information Officer (DoD CIO).

For inquiries and reporting errors on this wiki, please contact us. Thank you.

CM.L3-3.4.1E – AUTHORITATIVE REPOSITORY

SECURITY REQUIREMENT

Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.

ASSESSMENT OBJECTIVES [NIST SP 800-172A]

Determine if:

[a] Approved system components are identified;
[b] Implemented system components are identified;
[c] An authoritative source and repository are established to provide a trusted source and accountability for approved and implemented system components; and
[d] An authoritative source and repository are maintained to provide a trusted source and accountability for approved and implemented system components.

POTENTIAL ASSESSMENT METHODS AND OBJECTS [NIST SP 800-172A]

Examine

[SELECT FROM: Configuration management policy; procedures addressing the baseline configuration of the system; configuration management plan; enterprise architecture documentation; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; change control records; system and system component inventory records; inventory reviews and update records; security plan; system audit records; change control audit and review reports; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel responsible for configuration management; organizational personnel responsible for system component inventory; organizational personnel responsible for configuration change control; organizational personnel responsible for information security; system/network administrators; members of a change control board or similar].

Test

[SELECT FROM: Mechanisms that implement configuration change control; mechanisms supporting configuration control of the baseline configuration; mechanisms supporting and/or implementing the system component inventory].

DISCUSSION [NIST SP 800-172]

The establishment and maintenance of an authoritative source and repository includes a system component inventory of approved hardware, software, and firmware; approved system baseline configurations and configuration changes; and verified system software and firmware, as well as images and/or scripts. The authoritative source implements integrity controls to log changes or attempts to change software, configurations, or data in the repository. Additionally, changes to the repository are subject to change management procedures and require authentication of the user requesting the change. In certain situations, organizations may also require dual authorization for such changes. Software changes are routinely checked for integrity and authenticity to ensure that the changes are legitimate when updating the repository and when refreshing a system from the known, trusted source. The information in the repository is used to demonstrate adherence to or identify deviation from the established configuration baselines and to restore system components from a trusted source. From an automated assessment perspective, the system description provided by the authoritative source is referred to as the desired state. The desired state is compared to the actual state to check for compliance or deviations. [NIST SP 800-128] provides guidance on security configuration management, including security configuration settings and configuration change control.

[NIST IR 8011-1] provides guidance on automation support to assess system and system component configurations.

FURTHER DISCUSSION

Trusted software, whether securely developed in house or obtained from a trusted source, should have baseline data integrity established when first created or obtained, such as by using hash algorithms to obtain a hash value that would be used to validate the source prior to use of the software in a given system. Hardware in the repository should be stored in boxes or containers with tamper-evident seals. Hashes and seals should be checked on a regular basis employing the principle of separation of duties.

Example

You are the primary system build technician at a medium-sized company. You have been put in charge of creating, documenting, and implementing a baseline configuration for all user systems [c]. You have identified a minimum set of software that is needed by all employees to complete their work (e.g., office automation software). You acquire trusted versions of the software and build one or more baselines of all system software, firmware, and applications required by the organization. The gold version of each baseline is stored in a secure configuration management system repository and updated as required to maintain integrity and security. Access to the build repository for updates and use is carefully controlled using access control mechanisms that limit access to you and your staff. All interactions with the repository are logged. Using an automated build tool, your team builds each organizational system using the standard baseline.

Potential Assessment Considerations

  • Does an authoritative source and repository exist to provide a trusted source and accountability for approved and implemented system components [c,d]?

KEY REFERENCES

  • NIST SP 800-172 3.4.1e
Retrieved from "https://cmmcwiki.org/index.php?title=Practice_CM.L3-3.4.1e_Details&oldid=1200"