HOME

CM-2 (1)

CM-2 (1) H M
Description

The organization reviews and updates the baseline configuration of the information system:
(a) [Assignment: organization-defined frequency];
(b) When required due to [Assignment organization-defined circumstances]; and
(c) As an integral part of information system component installations and upgrades.

FedRAMP
  • H CM-2 (1) (a) [at least annually or when a significant change occurs] CM-2 (1) (b) [to include when directed by the JAB]
  • M CM-2 (1) (a) [at least annually or when a significant change occurs] CM-2 (1) (b) [to include when directed by the JAB]
DISA Cloud Computing SRG

a. annually;
b. baseline configuration changes or as events dictate such as changes due to USCYBERCOM tactical orders/ directives or cyber attacks.

Source:
DoD RMF TAG

Supplemental Guidance

Further Guidance

CM-2 (1) (a) Guidance: Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, page F-7.

Related Controls