| ๐ผ CM-1 Policy and Procedures (L)(M)(H) | | | | |
| ๐ผ CM-2 Baseline Configuration (L)(M)(H) | 3 | | 13 | |
| ย ย ย ย ๐ผ CM-2(2) Automation Support for Accuracy and Currency (M)(H) | | | 13 | |
| ย ย ย ย ๐ผ CM-2(3) Retention of Previous Configurations (M)(H) | | | 1 | |
| ย ย ย ย ๐ผ CM-2(7) Configure Systems and Components for High-risk Areas (M)(H) | | | | |
| ๐ผ CM-3 Configuration Change Control (M)(H) | 2 | | 17 | |
| ย ย ย ย ๐ผ CM-3(2) Testing, Validation, and Documentation of Changes (M)(H) | | | | |
| ย ย ย ย ๐ผ CM-3(4) Security and Privacy Representatives (M)(H) | | | | |
| ๐ผ CM-4 Impact Analyses (L)(M)(H) | 1 | | | |
| ย ย ย ย ๐ผ CM-4(2) Verification of Controls (M)(H) | | | | |
| ๐ผ CM-5 Access Restrictions for Change (L)(M)(H) | 2 | | 8 | |
| ย ย ย ย ๐ผ CM-5(1) Automated Access Enforcement and Audit Records (M)(H) | | | 9 | |
| ย ย ย ย ๐ผ CM-5(5) Privilege Limitation for Production and Operation (M)(H) | | | 1 | |
| ๐ผ CM-6 Configuration Settings (L)(M)(H) | 1 | | | |
| ย ย ย ย ๐ผ CM-6(1) Automated Management, Application, and Verification (M)(H) | | | 1 | |
| ๐ผ CM-7 Least Functionality (L)(M)(H) | 3 | | 18 | |
| ย ย ย ย ๐ผ CM-7(1) Periodic Review (M)(H) | | | 11 | |
| ย ย ย ย ๐ผ CM-7(2) Prevent Program Execution (M)(H) | | | | |
| ย ย ย ย ๐ผ CM-7(5) Authorized Software โ Allow-by-exception (M)(H) | | | | |
| ๐ผ CM-8 System Component Inventory (L)(M)(H) | 2 | | 1 | |
| ย ย ย ย ๐ผ CM-8(1) Updates During Installation and Removal (M)(H) | | | | |
| ย ย ย ย ๐ผ CM-8(3) Automated Unauthorized Component Detection (M)(H) | | | | |
| ๐ผ CM-9 Configuration Management Plan (M)(H) | | | | |
| ๐ผ CM-10 Software Usage Restrictions (L)(M)(H) | | | | |
| ๐ผ CM-11 User-installed Software (L)(M)(H) | | | 4 | |
| ๐ผ CM-12 Information Location (M)(H) | 1 | | | |
| ย ย ย ย ๐ผ CM-12(1) Automated Tools to Support Information Location (M)(H) | | | | |