NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-2(6)Development and Test Environments

Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Establishing separate baseline configurations for development, testing, and operational environments protects systems from unplanned or unexpected events related to development and testing activities. Separate baseline configurations allow organizations to apply the configuration management that is most appropriate for each type of configuration. For example, the management of operational configurations typically emphasizes the need for stability, while the management of development or test configurations requires greater flexibility. Configurations in the test environment mirror configurations in the operational environment to the extent practicable so that the results of the testing are representative of the proposed changes to the operational systems. Separate baseline configurations do not necessarily require separate physical environments.

Practitioner Notes

This enhancement requires separate development and test environments from your production environment, each with its own documented baseline configuration.

Example 1: Maintain separate Azure subscriptions or AWS accounts for development, testing, and production, each with documented baseline configurations and no direct connections between dev/test and production.

Example 2: Use VMware or Hyper-V to create isolated virtual networks for testing configuration changes before deploying them to production servers.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency