Configuration management
Estimated reading time: 29 minutesCM-1 Configuration Management Policy And Procedures
Description
The organization:
- Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
- A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
- Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and
- Reviews and updates the current:
- Configuration management policy [Assignment: organization-defined frequency]; and
- Configuration management procedures [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Enterprise Edition Engine | none |
service provider hybrid shared |
Implementation Details
CM-2 Baseline Configuration
Description
The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Enterprise Edition Engine | none |
service provider hybrid shared |
Implementation Details
CM-2 (1) Reviews And Updates
Description
The organization reviews and updates the baseline configuration of the information system:
- [Assignment: organization-defined frequency];
- When required due to [Assignment organization-defined circumstances]; and
- As an integral part of information system component installations and upgrades.
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Enterprise Edition Engine | none |
service provider hybrid shared |
Implementation Details
CM-2 (2) Automation Support For Accuracy / Currency
Description
The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Enterprise Edition Engine | none |
service provider hybrid |
Implementation Details
CM-2 (3) Retention Of Previous Configurations
Description
The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback.
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Enterprise Edition Engine | none |
service provider hybrid |
Implementation Details
CM-2 (6) Development And Test Environments
Description
The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.
Control Information
Responsible role(s) - Organization
CM-2 (7) Configure Systems, Components, Or Devices For High-Risk Areas
Description
The organization:
- Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and
- Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return.
Control Information
Responsible role(s) - Organization
CM-3 Configuration Change Control
Description
The organization:
- Determines the types of changes to the information system that are configuration-controlled;
- Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
- Documents configuration change decisions associated with the information system;
- Implements approved configuration-controlled changes to the information system;
- Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
- Audits and reviews activities associated with configuration-controlled changes to the information system; and
- Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Enterprise Edition Engine | none |
service provider hybrid |
Implementation Details
CM-3 (1) Automated Document / Notification / Prohibition Of Changes
Description
The organization employs automated mechanisms to:
- Document proposed changes to the information system;
- Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
- Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
- Prohibit changes to the information system until designated approvals are received;
- Document all changes to the information system; and
- Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed.
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Enterprise Edition Engine | none |
service provider hybrid |
Implementation Details
CM-3 (2) Test / Validate / Document Changes
Description
The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Enterprise Edition Engine | none |
service provider hybrid |
Implementation Details
CM-3 (3) Automated Change Implementation
Description
The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base.
Control Information
Responsible role(s) - Organization
CM-3 (4) Security Representative
Description
The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element].
Control Information
Responsible role(s) - Organization
CM-3 (5) Automated Security Response
Description
The information system implements [Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner.
Control Information
Responsible role(s) - Organization
CM-3 (6) Cryptography Management
Description
The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management.
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Enterprise Edition Engine | none |
service provider hybrid |
Implementation Details
CM-4 Security Impact Analysis
Description
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.
Control Information
Responsible role(s) - Organization
CM-4 (1) Separate Test Environments
Description
The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.
Control Information
Responsible role(s) - Organization
CM-4 (2) Verification Of Security Functions
Description
The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system.
Control Information
Responsible role(s) - Organization
CM-5 Access Restrictions For Change
Description
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.
Control Information
Responsible role(s) - Organization
CM-5 (1) Automated Access Enforcement / Auditing
Description
The information system enforces access restrictions and supports auditing of the enforcement actions.
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Trusted Registry (DTR) | none |
Docker EE system |
Universal Control Plane (UCP) | none |
Docker EE system |
Implementation Details
- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/
- https://docs.docker.com/datacenter/dtr/2.3/guides/admin/manage-users/permission-levels/
- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#Organizations_.E2.80.94_RBAC
- https://docs.docker.com/datacenter/ucp/2.2/guides/access-control/
- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Docker_EE_Best_Practices_and_Design_Considerations#RBAC_and_Managing_Team_Level_Access_to_Resources
- https://success.docker.com/Architecture/Docker_Reference_Architecture%3A_Securing_Docker_EE_and_Security_Best_Practices#RBAC
CM-5 (2) Review System Changes
Description
The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Enterprise Edition Engine | none |
Docker EE system |
Implementation Details
CM-5 (3) Signed Components
Description
The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Trusted Registry (DTR) | none |
service provide hybrid shared |
Docker Enterprise Edition Engine | none |
service provide hybrid shared |
Universal Control Plane (UCP) | none |
service provide hybrid shared |
Implementation Details
CM-5 (4) Dual Authorization
Description
The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information].
Control Information
Responsible role(s) - Organization
CM-5 (5) Limit Production / Operational Privileges
Description
The organization:
- Limits privileges to change information system components and system-related information within a production or operational environment; and
- Reviews and reevaluates privileges [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
CM-5 (6) Limit Library Privileges
Description
The organization limits privileges to change software resident within software libraries.
Control Information
Responsible role(s) - Organization
CM-6 Configuration Settings
Description
The organization:
- Establishes and documents configuration settings for information technology products employed within the information system using [Assignment: organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements;
- Implements the configuration settings;
- Identifies, documents, and approves any deviations from established configuration settings for [Assignment: organization-defined information system components] based on [Assignment: organization-defined operational requirements]; and
- Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.
Control Information
Responsible role(s) - Organization
CM-6 (1) Automated Central Management / Application / Verification
Description
The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for [Assignment: organization-defined information system components].
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Trusted Registry (DTR) | none |
service provider hybrid |
Docker Enterprise Edition Engine | none |
service provider hybrid |
Universal Control Plane (UCP) | none |
service provider hybrid |
Implementation Details
CM-6 (2) Respond To Unauthorized Changes
Description
The organization employs [Assignment: organization-defined security safeguards] to respond to unauthorized changes to [Assignment: organization-defined configuration settings].
Control Information
Responsible role(s) - Organization
CM-7 Least Functionality
Description
The organization:
- Configures the information system to provide only essential capabilities; and
- Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Enterprise Edition Engine | none |
service provider hybrid |
Implementation Details
CM-7 (1) Periodic Review
Description
The organization:
- Reviews the information system [Assignment: organization-defined frequency] to identify unnecessary and/or nonsecure functions, ports, protocols, and services; and
- Disables [Assignment: organization-defined functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure].
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Universal Control Plane (UCP) | none |
Docker EE system service provider corporate service provider hybrid |
Implementation Details
CM-7 (2) Prevent Program Execution
Description
The information system prevents program execution in accordance with [Selection (one or more): [Assignment: organization-defined policies regarding software program usage and restrictions]; rules authorizing the terms and conditions of software program usage].
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Trusted Registry (DTR) | none |
Docker EE system |
Docker Enterprise Edition Engine | none |
Docker EE system |
Universal Control Plane (UCP) | none |
Docker EE system |
Implementation Details
CM-7 (3) Registration Compliance
Description
The organization ensures compliance with [Assignment: organization-defined registration requirements for functions, ports, protocols, and services].
Control Information
Responsible role(s) - Organization
CM-7 (4) Unauthorized Software / Blacklisting
Description
The organization:
- Identifies [Assignment: organization-defined software programs not authorized to execute on the information system];
- Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and
- Reviews and updates the list of unauthorized software programs [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
CM-7 (5) Authorized Software / Whitelisting
Description
The organization:
- Identifies [Assignment: organization-defined software programs authorized to execute on the information system];
- Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and
- Reviews and updates the list of authorized software programs [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Trusted Registry (DTR) | none |
service provider hybrid shared |
Docker Enterprise Edition Engine | none |
service provider hybrid shared |
Universal Control Plane (UCP) | none |
service provider hybrid shared |
Implementation Details
CM-8 Information System Component Inventory
Description
The organization:
- Develops and documents an inventory of information system components that:
- Accurately reflects the current information system;
- Includes all components within the authorization boundary of the information system;
- Is at the level of granularity deemed necessary for tracking and reporting; and
- Includes [Assignment: organization-defined information deemed necessary to achieve effective information system component accountability]; and
- Reviews and updates the information system component inventory [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Organization
CM-8 (1) Updates During Installations / Removals
Description
The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.
Control Information
Responsible role(s) - Organization
CM-8 (2) Automated Maintenance
Description
The organization employs automated mechanisms to help maintain an up-to-date, complete, accurate, and readily available inventory of information system components.
Control Information
Responsible role(s) - Organization
CM-8 (3) Automated Unauthorized Component Detection
Description
The organization:
- Employs automated mechanisms [Assignment: organization-defined frequency] to detect the presence of unauthorized hardware, software, and firmware components within the information system; and
- Takes the following actions when unauthorized components are detected: [Selection (one or more): disables network access by such components; isolates the components; notifies [Assignment: organization-defined personnel or roles]].
Control Information
Responsible role(s) - Organization
CM-8 (4) Accountability Information
Description
The organization includes in the information system component inventory information, a means for identifying by [Selection (one or more): name; position; role], individuals responsible/accountable for administering those components.
Control Information
Responsible role(s) - Organization
CM-8 (5) No Duplicate Accounting Of Components
Description
The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.
Control Information
Responsible role(s) - Organization
CM-8 (6) Assessed Configurations / Approved Deviations
Description
The organization includes assessed component configurations and any approved deviations to current deployed configurations in the information system component inventory.
Control Information
Responsible role(s) - Organization
CM-8 (7) Centralized Repository
Description
The organization provides a centralized repository for the inventory of information system components.
Control Information
Responsible role(s) - Organization
CM-8 (8) Automated Location Tracking
Description
The organization employs automated mechanisms to support tracking of information system components by geographic location.
Control Information
Responsible role(s) - Organization
CM-8 (9) Assignment Of Components To Systems
Description
The organization:
- Assigns [Assignment: organization-defined acquired information system components] to an information system; and
- Receives an acknowledgement from the information system owner of this assignment.
Control Information
Responsible role(s) - Organization
CM-9 Configuration Management Plan
Description
The organization develops, documents, and implements a configuration management plan for the information system that:
- Addresses roles, responsibilities, and configuration management processes and procedures;
- Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of the configuration items;
- Defines the configuration items for the information system and places the configuration items under configuration management; and
- Protects the configuration management plan from unauthorized disclosure and modification.
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Enterprise Edition Engine | none |
service provider hybrid |
Implementation Details
CM-9 (1) Assignment Of Responsibility
Description
The organization assigns responsibility for developing the configuration management process to organizational personnel that are not directly involved in information system development.
Control Information
Responsible role(s) - Organization
CM-10 Software Usage Restrictions
Description
The organization:
- Uses software and associated documentation in accordance with contract agreements and copyright laws;
- Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
- Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Control Information
Responsible role(s) - Organization
CM-10 (1) Open Source Software
Description
The organization establishes the following restrictions on the use of open source software: [Assignment: organization-defined restrictions].
Control Information
Responsible role(s) - Organization
CM-11 User-Installed Software
Description
The organization:
- Establishes [Assignment: organization-defined policies] governing the installation of software by users;
- Enforces software installation policies through [Assignment: organization-defined methods]; and
- Monitors policy compliance at [Assignment: organization-defined frequency].
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Trusted Registry (DTR) | none |
service provider hybrid shared |
Implementation Details
CM-11 (1) Alerts For Unauthorized Installations
Description
The information system alerts [Assignment: organization-defined personnel or roles] when the unauthorized installation of software is detected.
Control Information
Responsible role(s) - Docker system
Component | Implementation Status(es) | Control Origin(s) |
---|---|---|
Docker Trusted Registry (DTR) | none |
service provider hybrid shared |
Implementation Details
CM-11 (2) Prohibit Installation Without Privileged Status
Description
The information system prohibits user installation of software without explicit privileged status.
Control Information
Responsible role(s) - Organization