| 💼 CM-1 Policy and Procedures | | | 3 | |
| 💼 CM-2 Baseline Configuration | 7 | | 25 | |
|     💼 CM-2(1) Baseline Configuration _ Reviews and Updates | | | | |
|     💼 CM-2(2) Baseline Configuration _ Automation Support for Accuracy and Currency | | | 15 | |
|     💼 CM-2(3) Baseline Configuration _ Retention of Previous Configurations | | | | |
|     💼 CM-2(4) Baseline Configuration _ Unauthorized Software | | | | |
|     💼 CM-2(5) Baseline Configuration _ Authorized Software | | | | |
|     💼 CM-2(6) Baseline Configuration _ Development and Test Environments | | | | |
|     💼 CM-2(7) Baseline Configuration _ Configure Systems and Components for High-risk Areas | | | | |
| 💼 CM-3 Configuration Change Control | 8 | 17 | 19 | |
|     💼 CM-3(1) Configuration Change Control _ Automated Documentation, Notification, and Prohibition of Changes | | | | |
|     💼 CM-3(2) Configuration Change Control _ Testing, Validation, and Documentation of Changes | | | | |
|     💼 CM-3(3) Configuration Change Control _ Automated Change Implementation | | | | |
|     💼 CM-3(4) Configuration Change Control _ Security and Privacy Representatives | | | | |
|     💼 CM-3(5) Configuration Change Control _ Automated Security Response | | | | |
|     💼 CM-3(6) Configuration Change Control _ Cryptography Management | | | 6 | |
|     💼 CM-3(7) Configuration Change Control _ Review System Changes | | | | |
|     💼 CM-3(8) Configuration Change Control _ Prevent or Restrict Configuration Changes | | | | |
| 💼 CM-4 Impact Analyses | 2 | | | |
|     💼 CM-4(1) Impact Analyses _ Separate Test Environments | | | | |
|     💼 CM-4(2) Impact Analyses _ Verification of Controls | | | | |
| 💼 CM-5 Access Restrictions for Change | 7 | | | |
|     💼 CM-5(1) Access Restrictions for Change _ Automated Access Enforcement and Audit Records | | | | |
|     💼 CM-5(2) Access Restrictions for Change _ Review System Changes | | | | |
|     💼 CM-5(3) Access Restrictions for Change _ Signed Components | | | | |
|     💼 CM-5(4) Access Restrictions for Change _ Dual Authorization | | | | |
|     💼 CM-5(5) Access Restrictions for Change _ Privilege Limitation for Production and Operation | | | | |
|     💼 CM-5(6) Access Restrictions for Change _ Limit Library Privileges | | | | |
|     💼 CM-5(7) Access Restrictions for Change _ Automatic Implementation of Security Safeguards | | | | |
| 💼 CM-6 Configuration Settings | 4 | | 11 | |
|     💼 CM-6(1) Configuration Settings _ Automated Management, Application, and Verification | | | 1 | |
|     💼 CM-6(2) Configuration Settings _ Respond to Unauthorized Changes | | | | |
|     💼 CM-6(3) Configuration Settings _ Unauthorized Change Detection | | | | |
|     💼 CM-6(4) Configuration Settings _ Conformance Demonstration | | | | |
| 💼 CM-7 Least Functionality | 9 | | 23 | |
|     💼 CM-7(1) Least Functionality _ Periodic Review | | | | |
|     💼 CM-7(2) Least Functionality _ Prevent Program Execution | | | | |
|     💼 CM-7(3) Least Functionality _ Registration Compliance | | | | |
|     💼 CM-7(4) Least Functionality _ Unauthorized Software — Deny-by-exception | | | | |
|     💼 CM-7(5) Least Functionality _ Authorized Software — Allow-by-exception | | | | |
|     💼 CM-7(6) Least Functionality _ Confined Environments with Limited Privileges | | | | |
|     💼 CM-7(7) Least Functionality _ Code Execution in Protected Environments | | | | |
|     💼 CM-7(8) Least Functionality _ Binary or Machine Executable Code | | | | |
|     💼 CM-7(9) Least Functionality _ Prohibiting The Use of Unauthorized Hardware | | | | |
| 💼 CM-8 System Component Inventory | 9 | | 2 | |
|     💼 CM-8(1) System Component Inventory _ Updates During Installation and Removal | | | 1 | |
|     💼 CM-8(2) System Component Inventory _ Automated Maintenance | | | 1 | |
|     💼 CM-8(3) System Component Inventory _ Automated Unauthorized Component Detection | | | | |
|     💼 CM-8(4) System Component Inventory _ Accountability Information | | | | |
|     💼 CM-8(5) System Component Inventory _ No Duplicate Accounting of Components | | | | |
|     💼 CM-8(6) System Component Inventory _ Assessed Configurations and Approved Deviations | | | | |
|     💼 CM-8(7) System Component Inventory _ Centralized Repository | | | | |
|     💼 CM-8(8) System Component Inventory _ Automated Location Tracking | | | | |
|     💼 CM-8(9) System Component Inventory _ Assignment of Components to Systems | | | | |
| 💼 CM-9 Configuration Management Plan | 1 | | 8 | |
|     💼 CM-9(1) Configuration Management Plan _ Assignment of Responsibility | | | | |
| 💼 CM-10 Software Usage Restrictions | 1 | | | |
|     💼 CM-10(1) Software Usage Restrictions _ Open-source Software | | | | |
| 💼 CM-11 User-installed Software | 3 | | | |
|     💼 CM-11(1) User-installed Software _ Alerts for Unauthorized Installations | | | | |
|     💼 CM-11(2) User-installed Software _ Software Installation with Privileged Status | | | | |
|     💼 CM-11(3) User-installed Software _ Automated Enforcement and Monitoring | | | | |
| 💼 CM-12 Information Location | 1 | | | |
|     💼 CM-12(1) Information Location _ Automated Tools to Support Information Location | | | | |
| 💼 CM-13 Data Action Mapping | | | | |
| 💼 CM-14 Signed Components | | | | |