Red Hat Virtualization Host - Configuration Management

Control responses for NIST 800-53 rev4.


Requirements Traceability Matrix

Control Name Status
CM-1 Configuration Management Policy And Procedures

not applicable

CM-2 Baseline Configuration

not applicable

CM-2 (1) Reviews And Updates
CM-2 (2) Automation Support For Accuracy / Currency
CM-2 (3) Retention Of Previous Configurations
CM-2 (4) Unauthorized Software
CM-2 (5) Authorized Software
CM-2 (6) Development And Test Environments
CM-2 (7) Configure Systems, Components, Or Devices For High-Risk Areas
CM-3 Configuration Change Control
CM-3 (1) Automated Document / Notification / Prohibition Of Changes
CM-3 (2) Test / Validate / Document Changes
CM-3 (3) Automated Change Implementation
CM-3 (4) Security Representative
CM-3 (5) Automated Security Response
CM-3 (6) Cryptography Management
CM-4 Security Impact Analysis

not applicable

CM-4 (1) Separate Test Environments
CM-4 (2) Verification Of Security Functions
CM-5 Access Restrictions For Change
CM-5 (1) Automated Access Enforcement / Auditing
CM-5 (2) Review System Changes
CM-5 (3) Signed Components
CM-5 (4) Dual Authorization
CM-5 (5) Limit Production / Operational Privileges
CM-5 (6) Limit Library Privileges
CM-5 (7) Automatic Implementation Of Security Safeguards
CM-6 Configuration Settings

not applicable

CM-6 (1) Automated Central Management / Application / Verification
CM-6 (2) Respond To Unauthorized Changes
CM-6 (3) Unauthorized Change Detection
CM-6 (4) Conformance Demonstration
CM-7 Least Functionality

complete

CM-7 (1) Periodic Review
CM-7 (2) Prevent Program Execution
CM-7 (3) Registration Compliance
CM-7 (4) Unauthorized Software / Blacklisting
CM-7 (5) Authorized Software / Whitelisting
CM-8 Information System Component Inventory

not applicable

CM-8 (1) Updates During Installations / Removals
CM-8 (2) Automated Maintenance
CM-8 (3) Automated Unauthorized Component Detection
CM-8 (4) Accountability Information
CM-8 (5) No Duplicate Accounting Of Components
CM-8 (6) Assessed Configurations / Approved Deviations
CM-8 (7) Centralized Repository
CM-8 (8) Automated Location Tracking
CM-8 (9) Assignment Of Components To Systems
CM-9 Configuration Management Plan
CM-9 (1) Assignment Of Responsibility
CM-10 Software Usage Restrictions

not applicable

CM-10 (1) Open Source Software
CM-11 User-Installed Software

complete

CM-11 (1) Alerts For Unauthorized Installations
CM-11 (2) Prohibit Installation Without Privileged Status



CM-1: Configuration Management Policy And Procedures

The organization: a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: 1. A configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and 2. Procedures to facilitate the implementation of the configuration management policy and associated configuration management controls; and b. Reviews and updates the current: 1. Configuration management policy [Assignment: organization-defined frequency]; and 2. Configuration management procedures [Assignment: organization-defined frequency].

CM-1 Control Response Information
Implementation Status:

not applicable

CM-1: What is the solution and how is it implemented?
CM-1(a):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’

CM-1(b):

‘This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).’




CM-2: Baseline Configuration

“The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system.”

CM-2 Control Response Information
Implementation Status:

not applicable

CM-2: What is the solution and how is it implemented?

This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).




CM-2 (1): Reviews And Updates

The organization reviews and updates the baseline configuration of the information system: (1)(a). [Assignment: organization-defined frequency]; (1)(b). When required due to [Assignment organization-defined circumstances]; and (1)(c). As an integral part of information system component installations and upgrades.

CM-2 (1) Control Response Information
Implementation Status:
CM-2 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CM-2 (2): Automation Support For Accuracy / Currency

“The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.”

CM-2 (2) Control Response Information
Implementation Status:
CM-2 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CM-2 (3): Retention Of Previous Configurations

“The organization retains [Assignment: organization-defined previous versions of baseline configurations of the information system] to support rollback.”

CM-2 (3) Control Response Information
Implementation Status:
CM-2 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CM-2 (4): Unauthorized Software

“[Withdrawn: Incorporated into CM-7].”

CM-2 (4) Control Response Information
Implementation Status:
CM-2 (4): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CM-2 (5): Authorized Software

“[Withdrawn: Incorporated into CM-7].”

CM-2 (5) Control Response Information
Implementation Status:
CM-2 (5): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CM-2 (6): Development And Test Environments

“The organization maintains a baseline configuration for information system development and test environments that is managed separately from the operational baseline configuration.”

CM-2 (6) Control Response Information
Implementation Status:
CM-2 (6): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CM-2 (7): Configure Systems, Components, Or Devices For High-Risk Areas

The organization: (7)(a). Issues [Assignment: organization-defined information systems, system components, or devices] with [Assignment: organization-defined configurations] to individuals traveling to locations that the organization deems to be of significant risk; and (7)(b). Applies [Assignment: organization-defined security safeguards] to the devices when the individuals return.

CM-2 (7) Control Response Information
Implementation Status:
CM-2 (7): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CM-3: Configuration Change Control

The organization: a. Determines the types of changes to the information system that are configuration-controlled; b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c. Documents configuration change decisions associated with the information system; d. Implements approved configuration-controlled changes to the information system; e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; f. Audits and reviews activities associated with configuration-controlled changes to the information system; and g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].

CM-3 Control Response Information
Implementation Status:
CM-3: What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CM-3 (1): Automated Document / Notification / Prohibition Of Changes

The organization employs automated mechanisms to: (1)(a). Document proposed changes to the information system; (1)(b). Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval; (1)(c). Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period]; (1)(d). Prohibit changes to the information system until designated approvals are received; (1)(e). Document all changes to the information system; and (1)(f). Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed.

CM-3 (1) Control Response Information
Implementation Status:
CM-3 (1): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CM-3 (2): Test / Validate / Document Changes

“The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.”

CM-3 (2) Control Response Information
Implementation Status:
CM-3 (2): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CM-3 (3): Automated Change Implementation

“The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base.”

CM-3 (3) Control Response Information
Implementation Status:
CM-3 (3): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CM-3 (4): Security Representative

“The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element].”

CM-3 (4) Control Response Information
Implementation Status:
CM-3 (4): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CM-3 (5): Automated Security Response

“The information system implements [Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner.”

CM-3 (5) Control Response Information
Implementation Status:
CM-3 (5): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CM-3 (6): Cryptography Management

“The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management.”

CM-3 (6) Control Response Information
Implementation Status:
CM-3 (6): What is the solution and how is it implemented?
This control has not been evaluated in the context of Red Hat Virtualization Host.



CM-4: Security Impact Analysis

“The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.”

CM-4 Control Response Information
Implementation Status:

not applicable

CM-4: What is the solution and how is it implemented?

This control reflects organizational procedures/policies, and is not applicable to the configuration of Red Hat Virtualization Host (RHVH).




CM-4 (1): Separate Test Environments

“The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.”

CM-4 (1) Control Response Information
Implementation Status: