💼 CM-2 Baseline Configuration (L)(M)(H)

ID: /frameworks/fedramp-high-security-controls/cm/02

Description

a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and

b. Review and update the baseline configuration of the system:

[FedRAMP Assignment: at least annually and when a significant change occurs];
When required due to [FedRAMP Assignment: to include when directed by the JAB]; and
When system components are installed or upgraded.

CM-2 Additional FedRAMP Requirements and Guidance:

(b) (1) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

Similar

Sections
- /frameworks/nist-sp-800-53-r5/cm/02
Internal
- ID: dec-c-aa2b018a

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 NIST SP 800-53 Revision 5 → 💼 CM-2 Baseline Configuration	7		29		no data

Similar Sections (Give Policies To)

Section	Sub Sections	Internal Rules	Policies	Flags	Compliance
💼 FedRAMP Low Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)			29		no data
💼 FedRAMP Moderate Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3		30		no data

Sub Sections

Section	Internal Rules	Policies	Compliance
💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H)		16	no data
💼 CM-2(3) Retention of Previous Configurations (M)(H)	1	1	no data
💼 CM-2(7) Configure Systems and Components for High-risk Areas (M)(H)			no data

Policies (29)

Policy	Logic Count	Flags	Compliance
🛡️ AWS Account Alternate Contact Information is not current🔴🟢⚪		🔴 x1, 🟢 x2, ⚪ x1	no data
🛡️ AWS API Gateway API Route Authorization Type is not configured🟢	1	🟢 x6	no data
🛡️ AWS CloudFront Web Distribution uses Dedicated IP for SSL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2🟢	1	🟢 x6	no data
🛡️ AWS EC2 Auto Scaling Group uses Launch Configuration instead of Launch Template🟢	1	🟢 x6	no data
🛡️ AWS EC2 Instance uses paravirtual Virtualization Type🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted CIFS traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted FTP traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted RPC traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted SMTP traffic🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MSSQL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to MySQL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted traffic to PostgreSQL🟢	1	🟢 x6	no data
🛡️ AWS EC2 Security Group allows unrestricted Telnet traffic🟢	1	🟢 x6	no data
🛡️ AWS ECR Repository Image Tag Mutability is set to Mutable🟢	1	🟢 x6	no data
🛡️ AWS ECR Repository Lifecycle Policy is not configured🟢	1	🟢 x6	no data
🛡️ AWS VPC Network ACL exposes admin ports to public internet ports🟢	1	🟢 x6	no data
🛡️ AWS VPC Transit Gateway Auto Accept Shared Attachments is enabled🟢	1	🟢 x6	no data
🛡️ AWS WAF Rule Group has no WAF Rules🟢	1	🟠 x1, 🟢 x5	no data
🛡️ AWS WAF Web ACL has no WAF Rules or WAF Rule Groups🟢	1	🟠 x1, 🟢 x5	no data
🛡️ Google Cloud DNS Managed Zone DNSSEC is not enabled🟢	1	🟢 x6	no data
🛡️ Google Cloud DNS Managed Zone DNSSEC Key-Signing Algorithm is RSASHA1🟢	1	🟢 x6	no data
🛡️ Google Cloud DNS Managed Zone DNSSEC Zone-Signing Algorithm is RSASHA1🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value🟢	1	🟢 x6	no data
🛡️ Google Cloud SQL Server Instance user options Database Flag is configured🟢	1	🟢 x6	no data
🛡️ Google Project has a legacy network🟢	1	🟢 x6	no data

Description​

Similar​

Similar Sections (Take Policies From)​

Similar Sections (Give Policies To)​

Sub Sections​

Policies (29)​