CoreOS 4.x - Configuration Management

Control responses for NIST 800-53 rev4.

NOTE: All CoreOS content is under active development through the ComplianceAsCode Project. Do not consider this content production ready!


Requirements Traceability Matrix

Control Name Status
CM-1 Configuration Management Policy And Procedures

not applicable

CM-2 Baseline Configuration

planned

CM-2 (1) Reviews And Updates

planned

CM-2 (2) Automation Support For Accuracy / Currency

planned

CM-2 (3) Retention Of Previous Configurations

planned

CM-2 (4) Unauthorized Software

not applicable

CM-2 (5) Authorized Software

not applicable

CM-2 (6) Development And Test Environments

planned

CM-2 (7) Configure Systems, Components, Or Devices For High-Risk Areas

not applicable

CM-3 Configuration Change Control

planned

CM-3 (1) Automated Document / Notification / Prohibition Of Changes

planned

CM-3 (2) Test / Validate / Document Changes

planned

CM-3 (3) Automated Change Implementation

planned

CM-3 (4) Security Representative

not applicable

CM-3 (5) Automated Security Response

planned

CM-3 (6) Cryptography Management

planned

CM-4 Security Impact Analysis

not applicable

CM-4 (1) Separate Test Environments

not applicable

CM-4 (2) Verification Of Security Functions

planned

CM-5 Access Restrictions For Change

planned

CM-5 (1) Automated Access Enforcement / Auditing

planned

CM-5 (2) Review System Changes

planned

CM-5 (3) Signed Components

planned

CM-5 (4) Dual Authorization

planned

CM-5 (5) Limit Production / Operational Privileges

planned

CM-5 (6) Limit Library Privileges

planned

CM-5 (7) Automatic Implementation Of Security Safeguards

not applicable

CM-6 Configuration Settings

planned

CM-6 (1) Automated Central Management / Application / Verification

planned

CM-6 (2) Respond To Unauthorized Changes

planned

CM-6 (3) Unauthorized Change Detection

not applicable

CM-6 (4) Conformance Demonstration

not applicable

CM-7 Least Functionality

planned

CM-7 (1) Periodic Review

planned

CM-7 (2) Prevent Program Execution

planned

CM-7 (3) Registration Compliance

not applicable

CM-7 (4) Unauthorized Software / Blacklisting

planned

CM-7 (5) Authorized Software / Whitelisting

planned

CM-8 Information System Component Inventory

planned

CM-8 (1) Updates During Installations / Removals

planned

CM-8 (2) Automated Maintenance

planned

CM-8 (3) Automated Unauthorized Component Detection

planned

CM-8 (4) Accountability Information

not applicable

CM-8 (5) No Duplicate Accounting Of Components

not applicable

CM-8 (6) Assessed Configurations / Approved Deviations

planned

CM-8 (7) Centralized Repository

planned

CM-8 (8) Automated Location Tracking

planned

CM-8 (9) Assignment Of Components To Systems

not applicable

CM-9 Configuration Management Plan

planned

CM-9 (1) Assignment Of Responsibility

not applicable

CM-10 Software Usage Restrictions