| 💼 CM-1 Policy and Procedures (L)(M)(H) | | | 3 | |
| 💼 CM-2 Baseline Configuration (L)(M)(H) | 3 | | 25 | |
|     💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H) | | | 15 | |
|     💼 CM-2(3) Retention of Previous Configurations (M)(H) | | 1 | 1 | |
|     💼 CM-2(7) Configure Systems and Components for High-risk Areas (M)(H) | | | | |
| 💼 CM-3 Configuration Change Control (M)(H) | 4 | | 19 | |
|     💼 CM-3(1) Automated Documentation, Notification, and Prohibition of Changes (H) | | | | |
|     💼 CM-3(2) Testing, Validation, and Documentation of Changes (M)(H) | | | | |
|     💼 CM-3(4) Security and Privacy Representatives (M)(H) | | | | |
|     💼 CM-3(6) Cryptography Management (H) | | | 6 | |
| 💼 CM-4 Impact Analyses (L)(M)(H) | 2 | | | |
|     💼 CM-4(1) Separate Test Environments (H) | | | | |
|     💼 CM-4(2) Verification of Controls (M)(H) | | | | |
| 💼 CM-5 Access Restrictions for Change (L)(M)(H) | 2 | 7 | 8 | |
|     💼 CM-5(1) Automated Access Enforcement and Audit Records (M)(H) | | 7 | 8 | |
|     💼 CM-5(5) Privilege Limitation for Production and Operation (M)(H) | | 1 | 1 | |
| 💼 CM-6 Configuration Settings (L)(M)(H) | 2 | | 11 | |
|     💼 CM-6(1) Automated Management, Application, and Verification (M)(H) | | | 1 | |
|     💼 CM-6(2) Respond to Unauthorized Changes (H) | | | | |
| 💼 CM-7 Least Functionality (L)(M)(H) | 3 | 6 | 29 | |
|     💼 CM-7(1) Periodic Review (M)(H) | | 12 | 12 | |
|     💼 CM-7(2) Prevent Program Execution (M)(H) | | | | |
|     💼 CM-7(5) Authorized Software — Allow-by-exception (M)(H) | | | | |
| 💼 CM-8 System Component Inventory (L)(M)(H) | 4 | | 2 | |
|     💼 CM-8(1) Updates During Installation and Removal (M)(H) | | | 1 | |
|     💼 CM-8(2) Automated Maintenance (H) | | | 1 | |
|     💼 CM-8(3) Automated Unauthorized Component Detection (M)(H) | | | | |
|     💼 CM-8(4) Accountability Information (H) | | | | |
| 💼 CM-9 Configuration Management Plan (M)(H) | | | 8 | |
| 💼 CM-10 Software Usage Restrictions (L)(M)(H) | | | | |
| 💼 CM-11 User-installed Software (L)(M)(H) | | 4 | 4 | |
| 💼 CM-12 Information Location (M)(H) | 1 | | | |
|     💼 CM-12(1) Automated Tools to Support Information Location (M)(H) | | | | |
| 💼 CM-14 Signed Components (H) | | | | |