💼 CM-2 Baseline Configuration (L)(M)(H)

• Contextual name: 💼 CM-2 Baseline Configuration (L)(M)(H)
• ID: /frameworks/fedramp-moderate-security-controls/cm/02
• Located in: 💼 Configuration Management

Description

a. Develop, document, and maintain under configuration control, a current baseline configuration of the system; and

b. Review and update the baseline configuration of the system:

1. [FedRAMP Assignment: at least annually and when a significant change occurs];

2. When required due to [FedRAMP Assignment: to include when directed by the JAB]; and

3. When system components are installed or upgraded.

CM-2 Additional FedRAMP Requirements and Guidance:

(b) (1) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 2, Appendix F.

Similar

• Sections
  • /frameworks/fedramp-high-security-controls/cm/02
• Internal
  • ID: dec-c-aa2b018a

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 FedRAMP High Security Controls → 💼 CM-2 Baseline Configuration (L)(M)(H)	3	1	26

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CM-2(2) Automation Support for Accuracy and Currency (M)(H)			15
💼 CM-2(3) Retention of Previous Configurations (M)(H)			1
💼 CM-2(7) Configure Systems and Components for High-risk Areas (M)(H)

Policies (25)

Policy	Logic Count	Flags
📝 AWS Account Alternate Contact Information is not current 🔴🟢		🔴 x1, 🟢 x3
📝 AWS API Gateway API Route Authorization Type is not configured 🟢	1	🟢 x6
📝 AWS CloudFront Web Distribution uses Dedicated IP for SSL 🟢	1	🟢 x6
📝 AWS EC2 Auto Scaling Group Launch Template is not configured to require IMDSv2 🟢	1	🟢 x6
📝 AWS EC2 Auto Scaling Group uses Launch Configuration instead of Launch Template 🟢	1	🟢 x6
📝 AWS EC2 Instance uses paravirtual Virtualization Type 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows public IPv4 (0.0.0.0/0) access to admin ports 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows public IPv6 (::/0) access to admin ports 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted CIFS traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted FTP traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted RPC traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted SMTP traffic 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MSSQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to MySQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted traffic to PostgreSQL 🟢	1	🟢 x6
📝 AWS EC2 Security Group allows unrestricted Telnet traffic 🟢	1	🟢 x6
📝 AWS VPC Network ACL exposes admin ports to public internet ports 🟢	1	🟢 x6
📝 AWS VPC Transit Gateway Auto Accept Shared Attachments is enabled 🟢	1	🟢 x6
📝 Google Cloud DNS Managed Zone DNSSEC is not enabled 🟢	1	🟢 x6
📝 Google Cloud DNS Managed Zone DNSSEC Key-Signing Algorithm is RSASHA1 🟢	1	🟢 x6
📝 Google Cloud DNS Managed Zone DNSSEC Zone-Signing Algorithm is RSASHA1 🟢	1	🟢 x6
📝 Google Cloud SQL Server Instance 3625 (trace flag) Database Flag is not set to on 🟢	1	🟢 x6
📝 Google Cloud SQL Server Instance user connections Database Flag is set to a limiting (other than 0) value 🟢	1	🟢 x6
📝 Google Cloud SQL Server Instance user options Database Flag is configured 🟢	1	🟢 x6
📝 Google Project has a legacy network 🟢	1	🟢 x6