NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-8(6)Assessed Configurations and Approved Deviations

Include assessed component configurations and any approved deviations to current deployed configurations in the system component inventory.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Assessed configurations and approved deviations focus on configuration settings established by organizations for system components, the specific components that have been assessed to determine compliance with the required configuration settings, and any approved deviations from established configuration settings.

Practitioner Notes

This enhancement requires your inventory to include the assessed security configuration status and any approved deviations from the baseline for each component.

Example 1: Link each asset in your CMDB to its most recent STIG scan results, showing which settings are compliant and which have approved exceptions documented in the POA&M.

Example 2: Maintain a deviation register that documents any approved departures from your standard security baseline, cross-referenced to the specific assets and the business justification.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency