CM.L3-3.4.1e Authoritative Respository
Establish and maintain an authoritative source and repository to provide a trusted source and accountability for approved and implemented system components.
Source: NIST SP 800-172 3.4.1e
Discussion: The establishment and maintenance of an authoritative source and repository includes a system component inventory of approved hardware, software, and firmware; approved system baseline configurations and configuration changes; and verified system software and firmware, as well as images and/or scripts. The authoritative source implements integrity controls to log changes or attempts to change software, configurations, or data in the repository. Additionally, changes to the repository are subject to change management procedures and require authentication of the user requesting the change. In certain situations, organizations may also require dual authorization for such changes. Software changes are routinely checked for integrity and authenticity to ensure that the changes are legitimate when updating the repository and when refreshing a system from the known, trusted source. The information in the repository is used to demonstrate adherence to or identify deviation from the established configuration baselines and to restore system components from a trusted source. From an automated assessment perspective, the system description provided by the authoritative source is referred to as the desired state. The desired state is compared to the actual state to check for compliance or deviations. [SP 80e-128] provides guidance on security configuration management, including security configuration settings and configuration change control. [IR 8011-1] provides guidance on automation support to assess system and system component configurations.
Assessment Objectives:
Determine if:
- [a] Approved system components are identified;
- [b] Implemented system components are identified;
- [c] An authoritative source and repository are established to provide a trusted source and accountability for approved and implemented system components; and
- [d] An authoritative source and repository are maintained to provide a trusted source and accountability for approved and implemented system components.
Examine: [SELECT FROM: Configuration management policy; procedures addressing the baseline configuration of the system; configuration management plan; enterprise architecture documentation; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; change control records; system and system component inventory records; inventory reviews and update records; security plan; system audit records; change control audit and review reports; other relevant documents or records].
Interview: [SELECT FROM: Personnel with configuration management responsibilities; personnel with responsibilities for establishing the system inventory; personnel with responsibilities for updating the system inventory; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for managing baseline configurations; mechanisms supporting configuration control of the baseline configuration; organizational processes for developing and documenting an inventory of system components; organizational processes for updating inventory of system components; mechanisms supporting or implementing the system inventory; mechanisms implementing updating of the system inventory].
SPRS Score: 1
POA&M Allowed: Yes