U.S. Department of Health and Human Services

Part 10, Chapter 5: Manual Exhibit 10-5-A

Indian Health Service
Cybersecurity and Privacy Control Parameter Definitions
Configuration Management (CM) Controls

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, "NIST Security and Privacy Controls for Federal Information Systems and Organizations," provides a catalog of security and privacy controls and control enhancements that must be implemented for Federal information systems.

Many of these controls and enhancements include specific parameters that must be defined by Federal agencies. The Department of Health and Human Services (HHS) has defined roughly 50 percent of these parameters in the HHS OCIO Policy for Information Systems Security and Privacy. HHS directs Operating Divisions (OpDivs) to inherit these parameters and develop their own definitions for the remaining 50 percent. This specific exhibit defines the Configuration Management (CM) family controls.

The IHS Cybersecurity and Privacy Control Parameter Definitions specifies the IHS-defined security control parameters in compliance with HHS direction. The Federal Risk and Authorization Management Program (FedRAMP) parameters that are specifically applicable to cloud systems are located at https://www.fedramp.gov/documents/.

The NIST SP 800-53, Rev 4 CM family controls that were withdrawn or were not selected by HHS are not included in the following table. NIST 800-53, Rev 4 is located at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf.

Note: Some minimum security controls are specified according to the system’s assigned security category (Low, Moderate, High). These varied assignment specifications are identified under the control description with brackets and asterisk: [Assignment*]. Refer to the category columns for specification details.

Control ID	Control Title	Control Description	IHS Minimum Requirement by System Category
Control ID	Control Title	Control Description	Low	Moderate	High
Configuration Management (CM)
CM-1	Configuration Management Policy and Procedures	The organization: Develops, documents, and disseminates to all IHS personnel (via ihs.gov websites) for IHS-wide policies/procedures, and to all system personnel (for individual systems), as required by the System Owner or designee: A Configuration Management policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance (Note: IHS covers this control by establishing Indian Health Manual [IHM] Part 10, Cybersecurity); and Procedures to facilitate the implementation of the Configuration Management policy and associated CM controls. Reviews the Configuration Management policy at least every two years and submits to the Division of Regulatory and Policy Coordination for revision when needed. Reviews the Configuration Management procedures at least every three years and updates the procedures when needed.	Selected	Selected	Selected
CM-2	Baseline Configuration	The organization develops, documents, and maintains under configuration control, a current baseline configuration of the information system. Note: Baseline configurations are required for all systems. Baseline configurations include information about system components (e.g., standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture.	Selected	Selected	Selected
CM-2 c.e.1	Reviews and Updates	The organization reviews and updates the baseline configuration of the information system: [Assignment*]; When required due to significant change to the system or to interconnection modifications, critical security patches, upgrades, hardware replacements, emergency changes (such as those resulting from security incidents), IHS or organizational guideline changes, and other circumstances, as appropriate and as defined by the IHS; and As an integral part of information system component installations and upgrades.	Not Selected	Selected *Assignment: At least annually	Selected *Assignment: Every six months
CM-2 c.e.2	Automation Support for Accuracy/ Currency	The organization employs automated mechanisms to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system.	Not Selected	Not Selected	Selected
CM-2 c.e.3	Retention of Previous Configurations	The organization retains previous versions of the baseline configuration, as deemed necessary by the IHS, to support rollback.	Not Selected	Selected	Selected
CM-2 c.e.7	Configure Systems, Components, or Devices for High-Risk Areas	The organization: Issues government-furnished laptops and other mobile devices with Federal Information Processing Standards (FIPS) 140-2 compliant encryption at all levels to individuals traveling to locations that the organization deems to be of significant risk; and Applies security safeguards (e.g., examining the device for physical tampering, purging or reimaging the hard disk drive), as defined by the IHS to the devices when the individuals return. Note: In cases in which laptop encryption cannot be utilized to secure sensitive data (e.g., prohibition by United States export controls, travel to a country designated as high-risk per the HHS National Security Information Manual, potential danger, inability for personnel to perform work), a laptop that contains no sensitive information should be utilized. Refer to and follow the Office of Security and Strategic Information guidelines for foreign travel.	Not Selected	Selected	Selected
CM-3	Configuration Change Control	The organization: Determines the types of changes to the information system that are configuration-controlled; Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; Documents configuration change decisions associated with the information system; Implements approved configuration-controlled changes to the information system; Retains records of configuration-controlled changes to the information system for up to two years, but no less than twelve months after the change; Audits and reviews activities associated with configuration-controlled changes to the information system; and Coordinates and provides oversight for configuration change control activities through change control boards or other control bodies that convene monthly and/or when configuration change conditions occur, as defined by the IHS. Note: Change control boards should include an Information Systems Security Officer (ISSO) or their representative.	Not Selected	Selected	Selected
CM-3 c.e.1	Automated Document/ Notification/ Prohibition of Changes	The organization employs automated mechanisms to: Document proposed changes to the information system; Notify appropriate personnel (e.g., change control board or other control body, System Owner, project sponsor, ISSO, system administrator) of proposed changes to the information system and request change approval per the system configuration management documentation; Highlight proposed changes to the information system that have not been approved or disapproved within a time period defined by the system change management process; Prohibit changes to the information system until designated approvals are received; Document all changes to the information system; and Notify appropriate personnel (e.g., change control board or other control body, System Owner, project manager, ISSO, system administrator) when approved changes to the information system are completed.	Not Selected	Not Selected	Selected
CM-3 c.e.2	Test/Validate/ Document Changes	The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.	Not Selected	Selected	Selected
CM-4	Security Impact Analysis	The organization analyzes changes to the information system to determine potential security impacts prior to change implementation. System changes will be tested in a development environment prior to implementation, and major or critical changes will be validated by the vendor, as appropriate.	Selected	Selected	Selected
CM-4 c.e.1	Separate Test Environments	The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.	Not Selected	Not Selected	Selected
CM-5	Access Restrictions for Change	The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.	Not Selected	Selected	Selected
CM-5 c.e.1	Automated Access Enforcement/ Auditing	The information system enforces access restrictions and supports auditing of the enforcement actions.	Not Selected	Not Selected	Selected
CM-5 c.e.2	Review System Changes	The organization reviews information system changes weekly and when significant changes occur, as defined by IHS, to determine whether unauthorized changes have occurred.	Not Selected	Not Selected	Selected
CM-5 c.e.3	Signed Components	The information system prevents the installation of software and firmware components, as defined by the IHS, without verification that the component has been digitally signed using a certificate that is recognized and approved by the Agency.	Not Selected	Not Selected	Selected
CM-6	Configuration Settings	Per HHS Minimum Security Configuration Standards for Departmental Operating Systems and Applications, other configuration-related Department memoranda and standards, and any applicable IHS policy, the organization: Establishes and documents configuration settings for information technology products employed within the information system that reflect the most restrictive mode consistent with operational requirements; Implements the configuration settings; Identifies, documents, and approves any deviations from established configuration settings based on explicit requirements specified by IHS, as documented by the System Owner or designee, and approved by the Chief Information Security Officer through the Authorization to Operate process; and Monitors and controls changes to the configuration settings. Note: Apple and Samsung devices must be configured through the Apple Device Enrollment Program and Samsung Knox platforms, the mobile security solutions provided by the respective mobile device manufacturers. Please see IHM, Part 8, Chapter 4 "Capital Planning & Investment Control" for Apple device purchase requirements to ensure the devices are properly configured and managed.	Selected	Selected	Selected
CM-6 c.e.1	Automated Central Management/ Application/ Verification	The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for information system components, as defined in the HHS Minimum Security Configuration Standards for Departmental Operating Systems and Applications. Due to the need to support, protect, and audit geographically dispersed endpoints, all IHS workstations must implement Windows operating systems (OSs). The Linux OS is not authorized for use on IHS workstations.	Not Selected	Not Selected	Selected
CM-6 c.e.2	Respond to Unauthorized Changes	The organization employs appropriate security safeguards (e.g., alerting designated organizational personnel including at minimum the System Owner, restoring established configuration setting, and halting affected information system processing, as defined by IHS) to respond to unauthorized changes to information system components as defined by the information system.	Not Selected	Not Selected	Selected
CM-7	Least Functionality	The organization: Configures the information system to provide only essential capabilities; and Prohibits or restricts the use of high-risk functions, ports, protocols, and/or services (e.g., Telnet, FTP [file transfer protocol]), as defined by the IHS or system parameters. This includes: disable System Debugger, automatic reboot after “Blue Screen of Death” (also known as BSoD), autoplay for users, and autoplay for devices; remove unnecessary administrative shares; and configure permissions to give administrators Full Control and the system Read and Start, Stop, and Pause for the following services: Alerter Automatic Updates Background Intelligent Transfer Service (a.k.a. BITS) Clipbook Computer Browser Fax Service FTP Publishing Service IIS Admin Service Internet Connection Sharing Messenger NetMeeting Remote Desktop Sharing Remote Registry Service Routing and Remote Access Simple Mail Transfer Protocol (SMTP) Simple Network Management Protocol (SNMP) Service Simple Network Management Protocol (SNMP) Trap Telnet World Wide Web Publishing Services	Selected	Selected	Selected
CM-7 c.e.1	Periodic Review	The organization: Reviews the information system upon encountering a significant risk, or at least every 30 days, to identify unnecessary and/or non-secure functions, ports, protocols, and services; and Disables functions, ports, protocols, and services within the information system deemed to be unnecessary and/or non-secure.	Not Selected	Selected	Selected
CM-7 c.e.2	Prevent Program Execution	The information system prevents program execution in accordance with IHS-defined policies regarding software program use and restrictions; and, when necessary, the rules authorizing the terms and conditions of software program use.	Not Selected	Selected	Selected
CM-7 c.e.4	Unauthorized Software/ Blacklisting	The organization: Identifies any unapproved software programs, listed in an IHS Unauthorized Applications List; Employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system; and Reviews and updates the list of unauthorized software programs at least annually, or upon acquiring or discovering new software within the categories identified during (a). Note: Unauthorized software could include: software that is no longer supported by its vendor, compilers, known hacking tools, agents that support external file storage or data transmission, or unapproved VPN (virtual private network) clients.	Not Selected	Selected	Not Selected
CM-7 c.e.5	Authorized Software/ Whitelisting	The organization: Identifies approved software programs, as listed on the IHS Approved Hardware and Software list; Employs a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the information system; and Reviews and updates the list of authorized software programs at least every 180 days.	Not Selected	Not Selected	Selected
CM-8	Information System Component Inventory	The organization: Develops and documents an inventory of information system components that: Accurately reflects the current information system; Includes all components within the authorization boundary of the information system; Is at the level of granularity deemed necessary for tracking and reporting; and Includes information identified in System Component Inventory Requirements (see Appendix A: System Component Inventory Requirements), and Reviews and updates the information system component inventory [Assignment*].	Selected *Assignment: At least annually	Selected *Assignment: At least annually	Selected *Assignment: At least every 180 days
CM-8 c.e.1	Updates During Installations/ Removals	The organization updates the inventory of information system components as an integral part of component installations, removals, and information system updates.	Not Selected	Selected	Selected
CM-8 c.e.2	Automated Maintenance	The organization employs automated mechanisms to help maintain an up-to-date, complete and accurate, readily available inventory of information system components.	Not Selected	Not Selected	Selected
CM-8 c.e.3	Automated Unauthorized Component Detection	The organization: Employs automated mechanisms at least weekly to detect the presence of unauthorized hardware, software, and firmware components within the information system; and Takes the following actions when unauthorized components are detected: [Assignment*].	Not Selected	Selected *Assignment: Select one or more of the following: Disables network access by such components Isolates the components Notifies the IHS Cybersecurity Incident Response Team (CSIRT).	Selected *Assignment: Select one or more of the following: Disables network access by such components Isolates the components Notifies the IHS CSIRT.
CM-8 c.e.4	Accountability Information	In the information system component inventory, the organization identifies by position and role the individuals responsible/accountable for administering those components.	Not Selected	Not Selected	Selected
CM-8 c.e.5	No Duplicate Accounting of Components	The organization verifies that all components within the authorization boundary of the information system are not duplicated in other information system component inventories.	Not Selected	Selected	Selected
CM-9	Configuration Management Plan	The organization develops, documents, and implements a configuration management plan for the information system that: Addresses roles, responsibilities, and configuration management processes and procedures; Establishes a process for identifying configuration items throughout the system development life cycle and for managing the configuration of those items; Defines the configuration items for the information system and places the configuration items under a configuration management plan; and Protects the configuration management plan from unauthorized disclosure and modification. Note: Organizations must also ensure that personnel with configuration management responsibilities are trained on IHS or system applicable configuration management processes.	Not Selected	Selected	Selected
CM-10	Software Usage Restrictions	The organization: Uses software and associated documentation in accordance with contract agreements and copyright laws; Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.	Selected	Selected	Selected
CM-11	User-Installed Software	The organization: Prohibits the installation of software by unapproved users on all government-furnished equipment (GFE); permits only approved roles to install software on GFE. Enforces software prohibition policies through User Account Control on all workstations and hosts; and Monitors policy compliance at least monthly. Note: Policy enforcement methods include procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), collection of application inventory controls, or a combination of these methods.	Selected	Selected	Selected

Appendix A: System Component Inventory Requirements

As defined in the CM control family, specifically CM-8, organizations must develop and document a component inventory for all information systems. The inventory must include all components within the authorization boundary of the information system and be at the level of granularity deemed necessary for tracking and reporting. At a minimum, the inventory record for each system component must include the following information:

Unique identifier and/or serial number;
System name of which the component is a part;
Type of system component (e.g., server, desktop, network device, storage, application);
Manufacturer/model;
Operating system type and version/service pack level;
Presence of virtual machines;
Application software version/license information;
Physical location (e.g., building/room number);
Logical location (e.g., IP [Internet protocol] address);
Media Access Control (MAC) address;
Owner;
Operational status; and
Primary and secondary administrators.