Risk Management Handbook (RMH) Chapter 5: Configuration ...

1 Centers for Medicare & Medicaid Services Information Security and Privacy Group Risk Management Handbook (RMH) Chapter 5: Configuration Management Version May 03, 2018 Centers for Medicare & Medicaid Services Risk Management Handbook (RMH) Chapter 5: Configuration Management ii Version May 03, 2018 Record of Changes The Record of Changes table below is used to capture changes when updating the document. All columns are mandatory. Version Number Date Chapter Section Author/Owner Name Description of Change 1/11/2018 All ISPG Initial Publication 05/03/2018 Sections and 3 ISPG Alignment of CMS Defined Parameters with recently published Acceptable Risk Safeguards (ARS) Version ; Inserted HIPAA Security Rule Integration section.

2 Removal of Non-Mandatory Controls Centers for Medicare & Medicaid Services Effective Date/Approval Risk Management Handbook (RMH) Chapter 5: Configuration Management iii Version Effective Date/Approval This policy becomes effective on the date that CMS s Chief Information Officer (CIO) signs it and remains in effect until it is rescinded, modified, or superseded by another policy. Signature: /S/ Date of Issuance: 1/11/2018 George Hoffmann Acting Chief Information Officer and Acting Director, Office of Information Technology (OIT) Standard Owner s Review Certification This document shall be reviewed in accordance with the established review schedule located on the CMS website.

3 Signature: /S/ Date of Annual Review: 1/9/2018 Emery Csulak CMS Chief Information Security Officer and Senior Official for Privacy Centers for Medicare & Medicaid Services Table of Contents Risk Management Handbook (RMH) Chapter 5: Configuration Management iv Version Table of Contents Effective Date/Approval .. iii Table of Contents .. iv 1. Purpose .. 7 Authority ..7 Scope ..7 Handbook Structure ..8 Background ..8 Basic Configuration Management ..10 HIPAA Security Rule Integration ..11 Policy (CM-1) ..13 Standards ..15 Guidelines ..15 2. Roles and Responsibilities .. 16 3. Procedures .. 18 Baseline Configuration (CM-2) ..18 Reviews and Updates (CM-2(1)) ..19 Automation Support for Accuracy/Currency (CM-2(2)).

4 20 Retention of Previous Configurations (CM-2(3)) ..21 Configure Systems, Components, or Devices for High-Risk Areas (CM-2(7)) .22 Configuration Change Control (CM-3) ..24 Automated Document/Notification/Prohibition of Changes (CM-3(1)) ..26 Test/Validate/Document Changes (CM-3(2)) ..28 Security Impact Analysis (CM-4) ..29 Separate Test Environments (CM-4(1)) ..34 Access Restrictions for Change (CM-5) ..34 Automated Access Enforcement/Auditing (CM-5(1)) ..35 Review System Changes (CM-5(2)) ..36 Signed Components (CM-5(3)) ..37 Configuration Settings (CM-6) ..37 Automated Central Management \Application\Verification (CM-6(1)) ..41 Respond to Unauthorized Changes (CM-6(2)) ..42 Least Functionality (CM-7) ..43 Periodic Review (CM-7(1)).

5 44 Prevent Program Execution (CM-7(2)) ..46 Authorized Software/Whitelisting (CM-7(5)) ..48 Information System Component Inventory (CM-8) ..49 Updates During Installations/Removals (CM-8(1)) ..52 Centers for Medicare & Medicaid Services Table of Contents Risk Management Handbook (RMH) Chapter 5: Configuration Management v Version Automated Maintenance (CM-8(2)) ..52 Automated Unauthorized Component Detection (CM-8(3)) ..53 Accountability Information (CM-8(4)) ..54 No Duplicate Accounting of Components (CM-8(5)) ..55 Configuration Management Plan (CM-9) ..56 Software Usage Restrictions (CM-10) ..56 User-Installed Software (CM-11) ..58 Appendix A. Acronyms .. 60 Appendix B. Glossary of Terms .. 62 Appendix C. Applicable Laws and Guidance.

6 68 Appendix D. ARS Standards Configuration Management (CM) .. 73 Appendix E. Control/Policy Cross Reference Table .. 89 Appendix F. Security Impact Assessment Template .. 92 Appendix G. Points of Contact .. 93 Appendix H. Feedback and 94 Appendix I. Events As Triggers Of Change .. 95 Tables Table 1: CMS Defined Parameters Control CM-2(1) .. 19 Table 2: CMS Defined Parameters Control CM-2(3) .. 21 Table 3: CMS Defined Parameters Control CM-2(7) .. 22 Table 4: CMS Defined Parameters Control CM-3 .. 24 Table 5: CMS Defined Parameters Control CM-3(1) .. 26 Table 7: CMS Defined Parameters - Control CM-5(2) .. 36 Table 8: CMS Defined Parameters - Control CM-5(3) .. 37 Table 10: CMS Defined Parameters - Control CM-6 .. 38 Table 11: CMS Defined Parameters - Control CM-6(1).

7 41 Table 12: CMS Defined Parameters - Control CM-6(2) .. 42 Table 13: CMS Defined Parameters - Control CM-7 .. 43 Table 14: CMS Defined Parameters Control CM-7(1) .. 45 Centers for Medicare & Medicaid Services Table of Contents Risk Management Handbook (RMH) Chapter 5: Configuration Management vi Version Table 15: CMS Defined Parameters Control CM-7(2) .. 46 Table 17: CMS Defined Parameters - Control CM-7(5) .. 48 Table 18: CMS Defined Parameters - Control CM-8 .. 50 Table 19: CMS Defined Parameters - Control CM-8(3) .. 53 Table 20: CMS Defined Parameters - Control CM-8(4) .. 54 Table 22: CMS Defined Parameters Control CM-11 .. 58 Figures Figure 1: Risk Management Framework (RMF) 10 Figure 2: Configuration Management Phases 11 Figure 4: Application Change Checklist 30 Figure 5: Network Change Checklist 31 Figure 6: Environmental Change Checklist 31 Figure 7: Risk Assessment Template 32 Figure 8: Security Control Change Template 33 Centers for Medicare & Medicaid Services Purpose Risk Management Handbook (RMH) Chapter 5: Configuration Management 7 Version May 03, 2018 1.

8 Purpose The Centers for Medicare & Medicaid Services (CMS) RMH Chapter 5 Configuration Management is written in compliance with the CMS Information Systems Security and Privacy Policy (IS2P2) and the CMS Information Security Acceptable Risk Safeguards (ARS). The intent of this document is to describe standard operating procedures that facilitate the implementation of security controls associated with the Configuration Management (CM) family of controls taken from the National Institute of Standards and Technology (NIST) Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations and tailored to the CMS environment in the CMS ARS. Authority The Federal Information Security Modernization Act (FISMA) of 2014 designated NIST as authority to provide guidance to federal agencies for implementing information security and privacy requirements for federal information systems.

9 In addition, CMS must comply with the Privacy Act of 1974 ( Privacy Act ), Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the E-Government Act of 2002. The Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcement of the HIPAA Privacy Rule. In addition, the CMS IS2P2 defines the framework under which CMS protects and controls access to CMS information and information systems in compliance with the federal laws. Per the Department of Health and Human Services (HHS) Information Systems Security and Privacy Policy (IS2P), the CMS Chief Information Officer (CIO) designates the CMS Chief Information Security Officer (CISO) as the CMS authority for implementing the CMS-wide information security program.

10 HHS policy also designates the Senior Official for Privacy (SOP) as the CMS authority for implementing the CMS-wide privacy program. Through this Policy, the CIO/SOP delegate authority and responsibility to specific organizations and officials within CMS to develop and administer defined aspects of the CMS Information Security and Privacy Program. All CMS stakeholders must comply with and support this Handbook to ensure compliance with federal requirements and programmatic policies, standards, procedures, and to facilitate the implementation of information security and privacy controls. Scope This Handbook documents procedures that facilitate the implementation of the security controls and standards defined in the CMS IS2P21 and the CMS ARS2 for the Configuration Management (CM) family of security controls.