This Handbook outlines procedures to help CMS staff and contractors implement the Configuration Management family of controls taken from the National Institute of Standards and Technology (NIST) Special Publication 800-53 and tailored to the CMS environment in the CMS Acceptable Risk Safeguards (ARS). For more guidance on how to implement CMS policies and standards across many cybersecurity topics, see the CMS Security and Privacy Handbooks.
Configuration management has been applied to a broad range of information systems. Some basic terms associated with the configuration management discipline are briefly explained below.
A Baseline Configuration is a set of specifications for a system that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.
A Configuration Management Plan (CM Plan) is a comprehensive description of the roles, responsibilities, policies, and procedures that apply when managing the configuration of products and systems. The basic parts of a CM Plan include:
This guideline is associated with the application of security-focused configuration management practices as they apply to information systems. The configuration of an information system is a representation of the system’s components, how each component is configured, and how the components are connected or arranged to implement the information system. The possible conditions in which an information system or system component can be arranged affect the security posture of the information system. The activities involved in managing the configuration of an information system include development of a configuration management plan, establishment of a configuration control board, development of a methodology for configuration item identification, establishment of the baseline configuration, development of a configuration change control process, and development of a process for configuration monitoring and reporting.
Configuration management of information systems involves a set of activities that can be organized into four major phases – Planning, Identifying and Implementing Configurations, Monitoring, and Controlling Configuration Changes. It is through these phases that CM not only supports security for an information system and its components, but also supports the management of organizational risk.
This control requires CMS to develop, document, and maintain under configuration control a current baseline configuration for each information system. Baseline configurations are documented, formally reviewed and agreed-upon sets of specifications for information systems or configuration items within those systems. Baseline configurations serve as a basis for future builds, releases, and/or changes to information systems. Baseline configurations include information about information system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture.
The following steps detail the CMS specific process for initializing and maintaining an information system configuration baseline.
To develop and document initial configurations:
In order to maintain the configuration baseline, the Business Owner ensures the following is completed:
This enhancement requires CMS to review and update the baseline configuration of its information systems at a regularly defined frequency, when special circumstances arise, or when and information system component is installed or upgraded. By defining and maintaining a baseline configuration for its information systems, CMS is supporting the cybersecurity concepts of least privilege and least functionality. In addition, the establishment of configuration baselines helps the organization recognize abnormal behavior as a sign of attack.
The table below outlines the CMS organizationally defined parameters (ODPs) for review and update of the baseline configuration for an information system.
The organization reviews and updates the baseline configuration of the information system:
The organization reviews and updates the baseline configuration of the information system:
To implement the CMS controls for reviewing and updating configuration baseline, the Information System Security Officer (ISSO) must first assign a security category in accordance with FIPS 199.
This procedure is outlined in RMH Chapter 12: Security & Privacy Planning, under control PL-2. The category will assist the CCB with identifying adequate security controls and ensuring they are integrated into the configuration baseline of the information system.
The CCB will review information system baseline configurations every 365 days for systems categorized “High” and every 1,095 days for systems categorized as “Moderate”. Other triggers outside of scheduled times for configuration baseline review are:
In addition, system developer and maintainers will have to update the documentation regarding the baseline configuration after an approval of changes. Updates must follow the same process stated above in CM-2.
CMS provides automation support whenever possible to information systems’ configuration baselines. Automation support examples include hardware asset management systems, software asset management systems, and centralized configuration management software. CMS uses automation of information gathering to support the continuous monitoring program and inventory systems. Automation support captures the types of hardware and software on the network and the operating system or firmware on each device.
The goal is to keep track of what the configuration is on each system and to have the ability to go to an information system and collect configuration information automatically. The automation keeps the data on systems configuration up-to-date, accurate, and available when it is needed. With a current list of configurations, CMS can feed it into other processes that look for deviations from the baseline and configurations that are not up to organizational standards. It is worth noting the difference between a deviation and a waiver. A waiver is required when there is a departure from CMS or HSS policy and must be approved by the AO. A deviation is when the system will differ from established configuration standards and the reason why the deviation is occurring must be documented.
The following details the CMS specific process for incorporating automation to an information system.
Retaining documentation of configuration information is the first step to the restoration in times of need. CMS will maintain at least one backup of the configuration for systems, system components, and information system services. The configuration information needed is used to restore a device, service, or software to a previous state. Related to CM-2(2), section 3.1.2 of this document, the automated gathering of configuration information can be used to collect the data. This backup should also be maintained, given that the configuration will change over time. The approval of changes in the configuration from the CCB should also be added to the configuration documentation to retain as a new version.
The retention of configuration information is in support of CMS as one of its goals to maintain availability of systems. A previous configuration could be used to replace current settings and processes to a former state. This former state should be an approved configuration that may increase risk, but maintain availability. For example, if there were a system that did not apply a critical security patch correctly causing a system failure, then restoring the previous configuration would restore the system to a functioning state (available) without the security protection of the patch (increased risk).
The configuration information can also be used when settings change with unintended consequences during system upgrades or replacements. The previous configuration can be restored using what is called a rollback procedure, which would implement the settings for a former state that is known to function properly.
The table below outlines the CMS organizationally defined parameter (ODP) for CM Retention of Previous Configurations.
Control | Control Requirement | CMS Parameter |
---|---|---|
CM-2(3) | The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback. | The organization retains older versions of baseline configurations of the information system as deemed necessary, by the ISSO, to support rollback. |
The following details the CMS specific process for retaining configuration information of an information system:
The system developer and maintainer will determine the needs of the system to restore it back to a previous state. The information gathered can be a combination of settings, version numbers of software/firmware/hardware, access controls, connection information, or schematics. The importance of gathering the correct information is to ensure that the system will work using the previous configuration as stored. This previous configuration information must also be available in case of emergencies and must therefore be stored apart from the system itself to remain available if the system is offline. Additionally, configuration changes that are approved by the CCB must be added to the configuration baseline to ensure the up-to-date configurations are used for restoration. A minimum of one previous configuration is required for this control.
Because the retention process will be slightly different for every information system, the system developer and maintainer must document their process in their Configuration Management Plan (CMP).
This control guides CMS to create configurations and/or procedures for systems (laptops, iPhones, etc.) that are traveling to high-risk areas. This control is for official travel, because unofficial/personal travel should not involve the transportation of Government Furnished Equipment (GFEs). CMS employees traveling to high-risk areas should not travel with their permanently issued GFE but instead use an assigned loaner laptop from the designated laptop team. The designation of high-risk countries can be found on the State Department’s website Travel to High-Risk Areas Upon returning, CMS employees and contractors return their mobile devices to the SOC for a check of signs of physical tampering. HHS guidance can be found here: https://intranet.hhs.gov/it/cybersecurity/policies/memo-gfe.html. Further guidance can be obtained from the HHS Office of Security and Strategic Information and from the Broadcast on Foreign Travel: Updated Foreign Travel Security Awareness Guidance (6/12/2017).
The table below outlines the CMS organizationally defined parameters (ODPs) for CM-2(7) Configure Systems, Components, or Devices for High-Risk Areas.
The following details the CMS specific process for handling systems components or devices for travel to a high-risk area.
Configuration change control implements the change control process for the information system, system component, or information system service. Management will determine which changes to the system need to be part of the change control process. There will also be employees assigned to the CCB to review and approve changes to the system, component or service. The CCB will take security considerations as part of the decision making process. Changes that are approved will need to be documented as a part of the process. The documentation should include the decisions on the changes as well as the changes that are to be made. The CCB should periodically audit and review the activities related to the changes that have been made to the applicable system, component or service. It should also meet often enough to accommodate the changes that are proposed.
The reason that change control is enacted is to reduce the impact of changes to the CIA of the data processed by the system. The CCB can approve or disapprove of changes for a particular system so that there is no single person making changes to the system. CMS wants to prevent or minimize risks that can occur as a result of unauthorized or uncoordinated changes. This helps to separate the duties involved and adds an extra layer of security. The documentation of changes can help to troubleshoot issues when systems malfunction and to audit the system for compliance to CMS rules and regulations. CMS uses configuration change control to maintain availability through changes that have to be tested and system integrity through audits and approvals for system changes.
The table below outlines the CMS organizationally defined parameters (ODPs) for CM Configuration Change Control.
The following, which is ensured by the Business Owner, details the CMS specific process for controlling changes to a CMS information system’s configuration.
Automation in the change management process can help to document changes and ensure the proper workflow. CMS uses automated means to document system changes for submission to the CCB. The automated process should cover several things. CMS wants the automated system to notify the authorizing personnel, who were designated to approve changes, whenever changes are proposed. The change request can be automated giving highlight rules to change requests for different statuses such as: awaiting approval, not approved, or overdue (defined in the SSPP). When the approvals come through, this system should alert the stakeholders that the change is approved.
Changing systems are a frequent occurrence. Automating the documentation, along with notification or prohibition of changes, saves CMS resources. Automating these processes can also increase the traceability of changes for many systems at once. This helps to keep accounts of all records linked to each applicable system and to review who approved specific changes and reasons for change.
The table below outlines the CMS organizationally defined parameters (ODPs) for CM Automated Document/Notification/Prohibition of Changes.
The organization employs automated mechanisms to:
The organization employs automated mechanisms to:
The following steps, which are ensured by the Business Owner, outline the process for automating the processes of documenting, notifying, and prohibiting actions during the change control process.
* For the stakeholders mentioned in Table 5 and Step 1 above, the CCB must be notified of system changes. However, each system requires its own group of stakeholders to make up the CCB and there is no expectation for each role listed in Table 5 to receive notifications for every single system change. This is especially true for the Data Guardian who should only receive notification when significant changes are implemented.
Systems can implement this control by creating an environment to test changes prior to implementation in the operational environment. The testing environment should be separate from the operational environment when possible. The test environment should mirror the operational environment to the maximum extent possible, but CMS realizes deviations will have to be made so long as they are properly documented. Teams performing testing should document the process and procedures associated with the test to include a detailed outcome.
The purpose of testing changes to the system prior to implementation is to reduce the chance that outages will occur during implementation. The separation of testing from implementation in the operational environment is meant to give network/system administrators an opportunity to see if proposed changes will adversely affect the operational systems. CMS has the goal of reducing the chances that the operational environment will fail as a result of changes to the environment. Implementing this control will reduce breaks in operational environments and enable stakeholders making subsequent changes to reference the documentation created.
The following details the CMS specific process for testing, validating, and documenting changes to an information system.
Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.
The analysis of the security impact of a change occurs when changes are analyzed and evaluated for adverse impact on security, preferably before they are approved and implemented, but also in the case of emergency/unscheduled changes. These analyses are important to CMS because they prevent unnecessary risk to the enterprise.
Changes (in both the change management process and if a significant change will be made that impacts the ATO) should not be accepted without first studying the risks posed by these changes by conducting a security impact analysis. Before the changes are implemented and tested, a security impact analysis (and/or assessment) is performed to ensure that the changes have been sufficiently analyzed and documented, and to determine if there are any unanticipated effects of the change on existing security controls.
Change Management
Information system changes should not be undertaken prior to assessing the security impact of such changes. If the results of the security impact analysis indicate that the proposed or actual changes can affect, or have affected, the security state of the system; then corrective actions must be initiated and appropriate documents are revised and updated (e.g., the system security plan, security assessment report, and plan of action and milestones, etc.).
The business owner, or common control provider(s) should consult with their ISSO and/or CRA, and participate in the TRB review process prior to implementing any security-related changes to the information system, or its environment of operation.
Significant Change
Many events can trigger change—even events that may not result in an actual system “change”. Significant changes require a formal reauthorization of the system. If a formal reauthorization action is required, the business owner should target only the specific security controls affected by the changes and reuse previous assessment results wherever possible. Most routine changes to an information system or its environment of operation can be handled by the business owner’s continuous monitoring program.
NIST states that a Significant Change to an information system may include (for example): (i) installation of a new or upgraded operating system, middleware component, or application; (ii) modifications to system ports, protocols, or services; (iii) installation of a new or upgraded hardware platform; (iv) modifications to cryptographic modules or services; or (v) modifications to security controls. Examples of significant changes to the environment of operation may include for example: (i) moving to a new facility; (ii) adding new core missions or business functions; (iii) acquiring specific and credible threat information that the organization is being targeted by a threat source; or (iv) establishing new/modified laws, directives, policies, or regulations.
The following steps detail the CMS specific process to conduct a security impact analysis:
If change management:
If a significant change:
Separate test environments are used at CMS to host an instance of the operational environment. They should mirror one another in order to create an accurate response to changes as they are made for testing. The environment will be kept separate, physically and/or logically, so that changes in one do not affect the other. Changes will then be analyzed for flaws, weaknesses, incompatibility and intentional/unintentional harm that results from implementation. CCB approved changes should be made in this test environment first, then the production/operational environment. Test environments need to mirror production to the maximum extent possible, but CMS realizes that deviations may have to be made so long as they are properly documented.
Separating the testing environment from the production environment benefits CMS by allowing a chance to see the changes requested for a system enacted before the changes affect end users. Test environments give a chance to observe possible harm or disrupted functionality without applying the changes to production. It can reduce the risks of change overall, since the production data and operational environment are not harmed when the test environment is adversely affected.
The following steps detail the CMS-specific process to ensure that separate environments have been incorporated into testing:
The changes to a system can be sensitive. CMS calls for restrictions on the access to the system both physically and logically. The access controls to limit change privileges can be implemented through discretionary access controls such as deciding who is on the CCB. Supplemental discretionary access or role-based access controls can be enacted on files using Access Control Lists (ACLs). There can also be physical access restrictions such as those requiring a key to get into datacenter facilities. All together, these access restrictions should be developed, documented, approved and enforced throughout the system life cycle.
Restricting the ability to enact change to a system maintains the overall stability to the system. CMS limits production and operational privileges to make sure that there are controlled inputs to the change control process. Without limitations on change requests for a system, the process may become overwhelmed or inefficient based on unnecessary change requests.
CMS enacts this control, which is ensured by the Business Owner, by utilizing the following steps:
A system under this control will have automation in its access enforcement and auditing. The automation means that the system will check to see if the user or service is authorized to access resources as well as use some form of authentication. During this enforcement of access controls, the system should also log actions for auditing those enforcement actions later.
The access enforcement for a system is important to maintain its security. Automating the enforcement is the most efficient method of maintaining access controls. These controls keep the unauthorized users out. They contribute to the safety of the system through authentication and confidentiality. The confidentiality of the system makes it so that users only see parts of the system they are authorized to see. Authentication ensures that CMS knows the user or service that is attempting to access a resource. Finally, the creation of access control records will allow CMS personnel to evaluate working controls and detect misuse of the system through audits.
The following steps detail the CMS specific process for automatically controlling access and auditing:
The review of system changes should be carried out once per week by the CCB. This process should also allow for ad-hoc reviews for checking configurations against the baseline when unauthorized changes have been indicated or there is a dramatic unforeseen shift in performance.
Review is a useful tool utilized by CMS to determine which changes may have been made without permission, or without following the configuration management procedure. Discovering an unauthorized change could mean that there are more unauthorized changes present within the system. Reviewing the system changes is an easy way to check for procedural mistakes or intentionally unauthorized system changes. CMS maintains records of access to ensure that configuration change control is implemented and to support after-the-fact actions should CMS discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3, AU-6 and AU-7.
The table below outlines the CMS organizationally defined parameters for CM Review System Changes.
The organization reviews information system changes:
a. At least once a week; and
b. When unauthorized changes or unexpected levels of system performance are indicated.
The following steps detail the CMS specific process for reviewing system changes:
Signed components are parts of code that are used to create a digital signature and packaged together, code and signature. The digital signature is created from certificate assigned to the author of the code by a trusted certification authority.
CMS uses signed firmware and software components to know who the authors of the code are. The digital signature scheme and the Public Key Infrastructure together provide a way to institute non-repudiation for firmware and software updates.
The table below outlines the CMS organizationally defined parameters for CM Signed Components.
Control | Control Requirement | CMS Parameter |
---|---|---|
CM-5(3) | The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. | The information system prevents the installation of network and server software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. |
The following details the CMS specific process for signing components:
Code that is taken from third party providers must have a signature from the author. At CMS, the system administrators apply the correct configuration that automatically stops firmware and software components from being installed without a digital signature. These settings are in use as part of CMS’ configuration baselines for systems. In Windows-based systems, this is performed through Active Directory group policy objects. The group policy is applied to the target computer object and results in the computer being configured to restrict software and firmware installations without digital signatures. The certificate for the software should be from a trusted certificate authority and the certificate should not be trusted if it is self-signed. A trusted certificate authority is designated as such by DHS, HHS, and CMS.
HHS has outlined guidance for use when configuring information system components for operation. Configuration standards vary depending upon the technical characteristics of the information system (e.g. operating systems, databases, firmware, etc.) The Minimum Security Configurations Standard Guidance issued by the Department of Health and Human Services shall be applied to all applicable systems. If an HHS-defined configuration standard baseline is not available than the U.S. Government Configuration Baseline (USGCB) will be applied to the applicable systems. For those systems not covered under USGCB, the National Checklist Program can be followed for configuration guidance.
The purpose of creating common configuration settings is to streamline management and security implementations. CMS configures systems with standardized settings and automates their implementation to save time and create a baseline of security that applies to all information systems, thereby, minimizing risk across the enterprise.
The table below outlines the CMS organizationally defined parameters for CM Configuration Changes.
The following steps detail the CMS specific process for documenting configuration changes:
The following steps are intended for use if the information system is cloud-based from a Cloud Service Provider (CSP).
Deviations
The following steps are intended for creating deviations to established configuration settings. If the settings established using a standard for baseline configurations have significant detrimental impacts on a system’s ability to perform CMS duties, then follow the steps below to file for a Risk Acceptance. It is worth noting the difference between a deviation and a waiver. A waiver is required when there is a departure from CMS or HHS policy and must be approved by the AO. A deviation is when the system will differ from established configuration standards and the reason why the deviation is occurring must be documented.
The ISSO then fills out Section 3 Proposed Risk Acceptance with all of the information related to the risk(s) that will be accepted and how/if the risk will be mitigated to include:
Automating the management of operating systems and applications gives CMS more control over the information systems in the CMS infrastructure and those processing CMS data. Automation is implemented to create a point (or points) of central management for administrators to change, apply, verify, and enforce configuration baselines and mandatory configuration settings. CMS uses the HHS defined security configuration standards as the basis for the configurations of information systems, components and applications. CMS Information systems are expected to allow access to automated methods of configuration management, change and verification.
Using these policies and procedures for the CMS environment assures an even application of approved configurations across the network. These configurations are applying the settings that will secure each system and application according to CMS’s business and regulatory needs, specifically to enforce the baseline and the mandatory configuration settings. CMS is able to implement the settings and verify that they are correct using this control. Verification is used to show compliance. The combination of configuration and verification makes this control necessary for large enterprise environments such as CMS.
The table below outlines the CMS organizationally defined parameters for Automated Central Management\Application\Verification.
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].
The following steps, which is ensured completed by the Business Owner, detail the CMS specific process for automation of central management:
It is the duty of CMS authorized personnel to respond to unauthorized changes to the information system, components or its data. The response should include notifying the business owner and ISSO. Additionally, the configuration should be restored to an approved version and further system processing can be halted as necessary.
CMS prevents or rolls back these changes to ensure that they go through the process of change management and receive the appropriate approvals and security checks before implementation. Unauthorized changes that have not undergone security vetting may introduce new vulnerabilities that have not been mitigated by existing security controls. The potential for increase of risk leads CMS to respond to unauthorized changes as soon as possible.
The table below outlines the CMS organizationally defined parameters for CM-6(2) Respond to Unauthorized Changes.
The organization responds to unauthorized changes to information system and components (e.g., authorization, auditing, processing types, baselines) and data (e.g., system libraries, log files, executables) in the following ways:
The following steps detail the CMS specific process for responding to unauthorized changes:
The principle of least functionality must considered when configuring a system. This involves first documenting the essential capabilities of the system. After that, the system can be configured to accommodate these capabilities while turning off non-essential functionality. At CMS, we pay special attention to high-risk system services and additionally turn those off unless they are absolutely needed.
CMS integrates security principles into its system development and design. This control addresses the principle that systems are granted only those functions that are needed in order for them to accomplish their tasks. This includes system services, which traverse network boundaries that are considered high-risk. This aims to reduce the “attack surface” of a system. Attack surface refers to the points that an attacker might target when compromising a system. Reducing functionality that goes beyond a system’s tasks leads to minimizing risk resulting in fewer attack vectors and leaving fewer options for attack. CMS reduces the risk as much as possible for each system to prevent attacks.
The table below outlines the CMS organizationally defined parameters for CM least functionality.
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
The following process, which is ensured completed by the Business Owner, details the CMS procedure for least functionality:
Review of ports, services, functions and protocols involves checking the system periodically. The system checks will make comparisons of what is used and what is authorized for use. CMS will then use that information to make a determination of which ports, services, functions and protocols should be disabled. The system scans will identify the PPS, and then an analysis will have to be conducted to determine if they can be disabled.
Periodic review within CMS helps to protect the systems in its infrastructure. The protection comes from reducing the attack surface as stated in “Least Functionality CM-7” to reduce the risk to the network. Reviewing on a periodic basis allows CMS to check continually for weaknesses and baseline anomalies. The change management process can introduce weaknesses into the environment, so it is important to evaluate systems on an ongoing basis to determine the consequences of changes, including unintentional or unforeseen consequences that affect the risk to that system. CMS authorizes scanning systems on this basis since change management is also an ongoing process in itself. This helps to keep checks coordinated with changes.
The table below outlines the CMS organizationally defined parameters for CM periodic review.
The following process details the CMS procedure for periodic review:
This control is implemented to ensure that CMS is using the software it has acquired responsibly and legally. To execute this control there must be methods in place to prevent executing software that is not:
Preventing these executions should be done automatically, and the users must not be permitted to execute the programs themselves.
These program preventions are a part of CMS’s security controls to ensure that security is built into the basic elements of systems through software. This is done to apply settings, which CMS knows are protecting the interests of the organization. This is extended to licensing to make sure CMS is not exposed to risk by using software that is unlicensed. Unlicensed software may violate the law or introduce new risks through its operation. Risk from operation is also included in this control by restricting software to those that are authorized to use it. Unauthorized users may not be assigned the responsibility of using certain types of software and CMS uses separation of duties to spread out job responsibilities among groups of people to reduce risk and insider threats.
The table below outlines the CMS organizationally defined parameters for CM-7(2) prevent program execution.
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
The information system prevents program execution in accordance with policies regarding authorized software use which include, but are not limited to the following:
a. Software must be legally licensed;
b. Software must be provisioned in approved configurations; and
c. Users must be authorized for software program use.
This control is system specific, but the following is a good example of how to implement and document the control:
For software that is not included in the computer image for the baseline configuration, use the following steps to allow execution in accordance with policies.
Note: Software that is supported under an enterprise license is a subset of the “CMS Tested Software List” from step 4; please refer to the OIT website for Enterprise Software Licensing here for more information: http://intranet.cms.gov/Component/OIS/Systems-and-Services/enterprise-software-licensing/index.html
Users operate under restricted privileges per CM-7 - least privilege, which will logistically prevent program execution through system policies. For those users who may get software installed surreptitiously or have administrative privileges, the following steps will apply:
The authorized software allowlisting control means that CMS would document the software that is allowed to run on CMS systems. The software name and its representation would be used to determine if a specific piece of software is on the list. Software on the list is allowed to execute and all other software is denied by default. As part of the implementation of this control, the list should be updated regularly and automatically from a trusted source.
Using an allowlist instead of a denylist is an option to consider for environments that are more restrictive. The list itself is known, and the system denies all other software. CMS can use an allowlist to lessen the uncertainty in a system through this prevention of executing the unknown. Decreasing the uncertainty in this case can also lead to decreasing the risk that malware or software outside of that needed for the operation of a system is executed.
The table below outlines the CMS organizationally defined parameters for CM Authorized Software/Allowlisting.
The following steps detail the CMS specific process for Authorizing Software or Allowlisting:
Note: If no Denylisting solution is in place, then an Allowlisting solution must be used.
For cloud-based systems that run software
Information system components are parts of the CMS network used to process, store or transmit CMS information. The components must each have an identifier that should be received from the property office in the form of an asset tag, which should be linked in an inventory system with the name of the asset, location, asset identification, owner, and description of use. More information can be added as needed, but those fields are the minimum. Then the component inventory should be linked to the CDM tools so monitoring can be linked to specific components.
CMS takes an inventory of information system’s components as a fundamental part of protecting the infrastructure. Inventories contain items that need to be checked for secure configurations, and they provide a logical baseline so that components found outside of the inventory can be scrutinized and unauthorized components removed, disabled or authorized. Unauthorized components could be indicative of a security risk and should be investigated. This control also adds to the accountability of the system. Each component is a part of the system and the same security protections should apply to all components.
The table below outlines the CMS organizationally defined parameters for CM Information System Component Inventory.
4. Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
a. Develops and documents an inventory of information system components that:
1. Accurately reflects the current information system;
2. Include all components within the authorization boundary of the information system;
3. Are at the level of granularity deemed necessary for tracking and reporting; and
- Each component’s unique identifier and/or serial number;
- Information system of which the component is a part;
- Type of information system component (e.g., server, desktop, application);
- Operating system type and version/service pack level;
- Presence of virtual machines;
- Application software version/license information;
- Physical location (e.g., building/room number);
- Logical location (e.g., IP address, position with the information system [IS] architecture);
- Media access control (MAC) address;
- Primary and secondary administrators; and
The following steps, which is ensured completed by the Business Owner, detail the CMS specific process for information system component inventory:
The purpose of this control is to ensure that the component inventory is up-to-date in times of change. The CMS system inventory should be updated in cases of: information system component installs, removals, and updates.
Updates during installations and removals to the inventory system is necessary to keep current information. The result of an upgrade, installation or removal can involve different components altogether. If the system inventory is not current, then the assumptions based on the inventory will not be accurate. It can have far-reaching impact beyond the current system and should involve updates as part of the procedure. Furthermore, updating the inventory supports accountability controls and breach response efforts.
The following, which is ensured completed by the Business Owner, lists the security safeguards implemented by CMS for Updates During Installations/Removals component inventory:
The CMS inventory system should be able to gather information and update records automatically. The inventory system makes the database complete, accounting for inventory from purchase to disposition. It is accurate, automated where possible and checked for accuracy. It is also meant to be readily available. The system should be fault tolerant to ensure that the information on inventory is there when needed.
CMS uses automated inventory maintenance to show what information system components are available at any given time. Knowing what inventory is supposed to be in the environment compared to what components are seen on the network, CMS can make determinations about components and their suitability. If the component is in inventory and not detected through CDM for a time specified by CMS, then it may need to be flagged as a potentially compromised component. On the other hand, if a component is not in inventory and detected on the network, then it should be flagged as an unauthorized component until verified. These examples show some issues with risk by using inventory anomalies in CMS’ assessments of risk.
The following, which is ensured completed by the Business Owner, lists the security safeguards implemented by CMS for automated information system component inventory:
The detection of components is utilized at CMS to determine whether a component is authorized or not. By using an inventory of components that are authorized to be on the network, CMS can utilize a mechanism to compare a discovered component with the inventory. The scans must be done on a weekly basis, more frequently as needed. The mechanism for discovery should be automatic and detect hardware, software and firmware components within the information system. When a component is found to be unauthorized then the automated mechanism should take measures to do the following:
CMS intends to automate where possible to stop malicious attacks as they occur. Stopping the communication with an unauthorized component as soon as possible is the goal of this control. The automated responses helps CMS address threats in a timely manner since utilizing technology is consistently faster than a manual process would be able to address. In order to review and take action against unauthorized components quickly, automation is the ideal solution.
The table below outlines the CMS organizationally defined parameters for CM automated unauthorized component detection.
1. Disable access to the identified component;
2. Disable the identified component’s network access;
3. Isolate the identified component; and
4. Notify the responsible actor (i.e., person/organization defined in security plan).
The following steps detail the process for automated unauthorized component detection:
Information system components are accounted for in the CMS inventory. This listing has accountability information attached to it that may be referenced when a component is compromised. The information contains the role(s) or individual(s) responsible and/or accountable for the information system components.
The information listed about CMS system components is designed as a reference for security personnel. The accountability information is used when, for example, the component needs to be replaced, is the source of a breach or a compromise, or needs to be relocated. A control for accountability information provides CMS with the contact information needed during incident response and times of change. The risk associated with those situations is assigned appropriately to the responsible person who can delegate the associated work.
The table below outlines the CMS organizationally defined parameters for accountability information.
Control | Control Requirement | CMS Parameter |
---|---|---|
CM-8(4) | The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components. | The organization includes in the information system component inventory information, a means for identifying by the System Developer/Maintainer or the Business Owner, the individuals responsible/accountable for administering those components. |
The following process, ensured is completed by the Business Owner, details the CMS procedure for keeping accountability information:
This control is used in CMS to ensure components are not duplicated in inventories. The inventory that lists all components shall not have more than one of the same instance of a component.
CMS avoids duplicate accounting in inventory systems because it creates a source of confusion for responsibility and remediation. Systems can be large and complex, involving many different components that interact with each other as well as other interconnected systems. Assigning a component to a single system inventory streamlines accounting and reduces the time and effort to discern applicable parties responsible for that component. It also leads to straightforward remediation of vulnerabilities when discovered since the component is linked to a single system.
The following steps detail the CMS specific process for verifying that the accounting for information system components are not duplicated:
The CMS-SDLC incorporates a configuration management plan into the planning process. The plan is designed to document the process and procedures for configuration management. The plan shall cover certain areas in order to fulfill this security control. Listed in the document are roles of stakeholders, their responsibilities, processes and procedures. The document shall also outline current configuration items. Specifically, one of the processes covered shall be how to identify a configuration item. The plan shall be protected, after it is finalized, from modification or unauthorized disclosure as are the configuration baselines.
Configuration management plans define people, processes and procedures. The plans establish the technical and administrative direction and surveillance for the management of configuration items. CMS uses this plan to separate responsibility and add traceability to protect the integrity of systems. Changes are documented and explicitly approved or rejected, so there is accountability regarding the approver, and changes that were made on the system without approval. Implementing the plan properly helps CMS pinpoint issues related to changes, leading to quicker resolutions and rollbacks to repair them.
The following steps detail the CMS specific process for developing, documenting and implementing a configuration management plan:
CMS will establish and enforce procedures for identifying and removing inappropriate software. Contractors and Government employees are expected to use software and associated documentation according to applicable law and contractual agreements. CMS is responsible for the prevention, monitoring, and removal of unauthorized software. Installed software and documentation will be monitored as needed to determine if its use is allowed by the license or contract. Additionally, peer-to-peer file sharing technology is not expected to be used except as approved by the CIO, but such traffic will be inspected to determine if sensitive or protected content was being shared.
Software usage restriction assists in safeguarding against the sharing of copyrighted material and/or the use of software in a manner that would violate CMS agreements. CMS tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution. CMS also controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work. This reduces CMS liability by preventing potential copyright violations.
The following steps detail the CMS specific process for the implementation of the CM-10 control and/or requirement:
Allowing CMS personnel to install software on agency information systems and system resources exposes the organization to unnecessary risk. GFEs will be configured to prevent installation of software when unprivileged users attempt it. Privileged users will be allowed to install software by following established procedures. The proper methods should be outlined within the SSPP of the information system under the control allocation for CM-11 – Shared Implementation Details. Users of the information system will have to follow the policy as stated in the SSPP. CMS will take action at least once per month after implementation to monitor adherence to the policy.
CMS wants to mitigate potential problems that may arise when users install programs. Some examples of problems that can be introduced are using two different versions of the same software that can cause system conflicts, introducing malware, and installing unlicensed software that could be discovered during audit or unauthorized programs that could be used to gather information from CMS’s network. This control is designed to protect network resources from unauthorized actions from software by restricting the number of people who have the ability to install it. This will minimize the risk of losing functionality in programs, damaging CMS infrastructure from malicious programs, harming CMS’s reputation through sensitive data loss, or exposing CMS to liability from unlicensed software. Monitoring the system for these installations allows us to adhere to information security continuous monitoring (ISCM) requirements as per the CMS IS2P2 section 4.1.2 Risk Management Framework.
The table below outlines the CMS organizationally defined parameters for user-installed software.
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency].
a. Prohibits the installation of software by users on all GFE;
b. Enforces software installation policies through organization-defined methods (defined in the SSPP); and
c. Monitors policy compliance at least monthly.
The following steps detail the CMS specific process for the implementation of the CM-11 control and/or requirement: