NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-9(1)Assignment of Responsibility

Assign responsibility for developing the configuration management process to organizational personnel that are not directly involved in system development.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

In the absence of dedicated configuration management teams assigned within organizations, system developers may be tasked with developing configuration management processes using personnel who are not directly involved in system development or system integration. This separation of duties ensures that organizations establish and maintain a sufficient degree of independence between the system development and integration processes and configuration management processes to facilitate quality control and more effective oversight.

Practitioner Notes

This enhancement requires you to assign specific responsibility for configuration management to designated individuals or roles — someone must own this process.

Example 1: Designate a Configuration Manager role in your IT organization who is responsible for maintaining baselines, running the CCB, and tracking configuration changes.

Example 2: In your system security plan, name the specific individuals responsible for configuration management of each major system component (servers, network, applications).

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency