Name: Episode 1 CONFIGURATION MGMT POLICY AND PROCEDURE (CM-1)
Uploaded: 2023-11-21 01:00:19
Duration: 14 min 18 s

Question 1

What is NIST 800-53 CM-1 configuration management policy and procedure?

Accepted Answer

CM-1 is the control that requires you to develop, document, and disseminate your configuration management policy and the procedure that supports it. The policy should cover purpose, scope, roles, responsibilities, management commitment, coordination, and compliance. The procedure explains how you actually implement the CM controls in real life.

Question 2

Why is configuration management important in cybersecurity and GRC?

Accepted Answer

Configuration management is how you maintain your system baseline so you don’t introduce unwanted weaknesses over time. Without it, you end up with lack of oversight where admins, engineers, or developers can change production configurations or code without authorization. That’s exactly how you get unintended risk and security gaps.

Question 3

Is CM-1 required for low, moderate, and high baselines?

Accepted Answer

Yes—CM-1 is selected across all baselines. In Rev. 4 and Rev. 5, it’s in low, moderate, and high, and that makes sense because every system needs policy/procedure governance. If you don’t have the policy foundation, the rest of the CM family becomes inconsistent.

Question 4

What changed in CM-1 between NIST 800-53 Rev 4 and Rev 5?

Accepted Answer

Rev. 5 adds language about being consistent with applicable federal laws, executive orders, directives, regulations, standards, and guidelines. It also adds the idea of designating an organization-defined official to manage development and dissemination. And it calls out organization-defined events that can trigger updates, like evolving threats or changes in laws.

Question 5

How often should configuration management policy and procedures be reviewed?

Accepted Answer

The frequency is organization-defined, but I call out common best practice: procedures are usually reviewed annually, and policies are often reviewed every three years. If you review outside those cycles, you should have a defined event that triggers it—like audit findings, incidents, or changes in applicable requirements. The key is being able to justify and evidence the review/update.

Question 6

How do you test or assess CM-1 during an audit?

Accepted Answer

I start by obtaining and examining the configuration management policy and procedure, and I also check the system security plan. Then I verify the documents are current, reviewed per the stated frequency, and have the required signatures. Finally, I confirm dissemination—often using SharePoint evidence, like screenshots showing the document location and who has access.

Question 7

What does “disseminate” mean for CM-1 and how do you prove it?

Accepted Answer

Disseminate means the right personnel/roles can access the policy and procedure—this is not just writing the document and hiding it. One practical way to prove dissemination is showing it’s posted in a controlled repository like SharePoint. You can provide screenshots of the library and the access list to show it’s available to the appropriate people.

Episode 1 CONFIGURATION MGMT POLICY AND PROCEDURE (CM-1)

🛍️ Products Mentioned (4)

Official NIST publications, standards, and guidance

Official KamilSec branded designs and apparel

PayPal

*Patreon & Channel Support*******

About This Video

Frequently Asked Questions

🎬 More from KamilSec