| 💼 CM-1 CONFIGURATION MANAGEMENT POLICY AND PROCEDURES | | | | |
| 💼 CM-2 BASELINE CONFIGURATION | 7 | 1 | 1 | |
|     💼 CM-2 (1) REVIEWS AND UPDATES | | | | |
|     💼 CM-2 (2) AUTOMATION SUPPORT FOR ACCURACY _ CURRENCY | | | | |
|     💼 CM-2 (3) RETENTION OF PREVIOUS CONFIGURATIONS | | | | |
|     💼 CM-2 (4) UNAUTHORIZED SOFTWARE | | | | |
|     💼 CM-2 (5) AUTHORIZED SOFTWARE | | | | |
|     💼 CM-2 (6) DEVELOPMENT AND TEST ENVIRONMENTS | | | | |
|     💼 CM-2 (7) CONFIGURE SYSTEMS, COMPONENTS, OR DEVICES FOR HIGH-RISK AREAS | | | | |
| 💼 CM-3 CONFIGURATION CHANGE CONTROL | 6 | | | |
|     💼 CM-3 (1) AUTOMATED DOCUMENT _ NOTIFICATION _ PROHIBITION OF CHANGES | | | | |
|     💼 CM-3 (2) TEST _ VALIDATE _ DOCUMENT CHANGES | | | | |
|     💼 CM-3 (3) AUTOMATED CHANGE IMPLEMENTATION | | | | |
|     💼 CM-3 (4) SECURITY REPRESENTATIVE | | | | |
|     💼 CM-3 (5) AUTOMATED SECURITY RESPONSE | | | | |
|     💼 CM-3 (6) CRYPTOGRAPHY MANAGEMENT | | 1 | 1 | |
| 💼 CM-4 SECURITY IMPACT ANALYSIS | 2 | | | |
|     💼 CM-4 (1) SEPARATE TEST ENVIRONMENTS | | | | |
|     💼 CM-4 (2) VERIFICATION OF SECURITY FUNCTIONS | | | | |
| 💼 CM-5 ACCESS RESTRICTIONS FOR CHANGE | 7 | | | |
|     💼 CM-5 (1) AUTOMATED ACCESS ENFORCEMENT _ AUDITING | | | | |
|     💼 CM-5 (2) REVIEW SYSTEM CHANGES | | | | |
|     💼 CM-5 (3) SIGNED COMPONENTS | | | | |
|     💼 CM-5 (4) DUAL AUTHORIZATION | | | | |
|     💼 CM-5 (5) LIMIT PRODUCTION _ OPERATIONAL PRIVILEGES | | | | |
|     💼 CM-5 (6) LIMIT LIBRARY PRIVILEGES | | | | |
|     💼 CM-5 (7) AUTOMATIC IMPLEMENTATION OF SECURITY SAFEGUARDS | | | | |
| 💼 CM-6 CONFIGURATION SETTINGS | 4 | 1 | 1 | |
|     💼 CM-6 (1) AUTOMATED CENTRAL MANAGEMENT _ APPLICATION _ VERIFICATION | | | | |
|     💼 CM-6 (2) RESPOND TO UNAUTHORIZED CHANGES | | | | |
|     💼 CM-6 (3) UNAUTHORIZED CHANGE DETECTION | | | | |
|     💼 CM-6 (4) CONFORMANCE DEMONSTRATION | | | | |
| 💼 CM-7 LEAST FUNCTIONALITY | 5 | 6 | 7 | |
|     💼 CM-7 (1) PERIODIC REVIEW | | 3 | 4 | |
|     💼 CM-7 (2) PREVENT PROGRAM EXECUTION | | | | |
|     💼 CM-7 (3) REGISTRATION COMPLIANCE | | | | |
|     💼 CM-7 (4) UNAUTHORIZED SOFTWARE _ BLACKLISTING | | | | |
|     💼 CM-7 (5) AUTHORIZED SOFTWARE _ WHITELISTING | | | | |
| 💼 CM-8 INFORMATION SYSTEM COMPONENT INVENTORY | 9 | 1 | 2 | |
|     💼 CM-8 (1) UPDATES DURING INSTALLATIONS _ REMOVALS | | | | |
|     💼 CM-8 (2) AUTOMATED MAINTENANCE | | | | |
|     💼 CM-8 (3) AUTOMATED UNAUTHORIZED COMPONENT DETECTION | | | | |
|     💼 CM-8 (4) ACCOUNTABILITY INFORMATION | | | | |
|     💼 CM-8 (5) NO DUPLICATE ACCOUNTING OF COMPONENTS | | | | |
|     💼 CM-8 (6) ASSESSED CONFIGURATIONS _ APPROVED DEVIATIONS | | | | |
|     💼 CM-8 (7) CENTRALIZED REPOSITORY | | | | |
|     💼 CM-8 (8) AUTOMATED LOCATION TRACKING | | | | |
|     💼 CM-8 (9) ASSIGNMENT OF COMPONENTS TO SYSTEMS | | | | |
| 💼 CM-9 CONFIGURATION MANAGEMENT PLAN | 1 | | | |
|     💼 CM-9 (1) ASSIGNMENT OF RESPONSIBILITY | | | | |
| 💼 CM-10 SOFTWARE USAGE RESTRICTIONS | 1 | | | |
|     💼 CM-10 (1) OPEN SOURCE SOFTWARE | | | | |
| 💼 CM-11 USER-INSTALLED SOFTWARE | 2 | | | |
|     💼 CM-11 (1) ALERTS FOR UNAUTHORIZED INSTALLATIONS | | | | |
|     💼 CM-11 (2) PROHIBIT INSTALLATION WITHOUT PRIVILEGED STATUS | | | | |