NIST 800-53 CM-6

Configuration Settings

Return to master list of NIST 800-53 controls.

Automated Inspection items for NIST SP 800-53 CM-6 assessment.

Automated Inspection items are efficient enough that they can usually be part of a CA-7 Continuous Monitoring program on a daily (or in some cases hourly) basis, simultaneously meeting the requirements of RA-5 Vulnerability Scanning. While NIST 800-53 allows Continuous Monitoring results to be used for CA-2 Security Assessments and CA-4 Security Certification, a separate run using the same automated Inspection items in combination with more laborious items for CA-2 and CA-4 adds no significant burden.

Depending on FIPS 199 impact level and whether the Industrial Control Systems (ICS/SCADA) subset of 800-53 is chosen,  LJK/Security™ starter templates provide automated Inspection items as follows:

NIST SP 800-53 R2 CM-6
Description  Automated Tests
DECnotes files are properly protected.
(DISK,NOTESPROT,ABSOLUTLO)
Directory files are properly protected.
(DISK,DIRPROT,ABSOLUTLO)
Each Username shall have a password minimum length no longer than 14.
(UAF,PWDMINLEN,ABSOLUTHI)
Each Username shall have sessions initially start with Control Y disabled.
(UAF,DISCTLY,PROHIBITED)
(UAF,DISCTLY,REQUIRED)
Each Username shall use a standardized definition of primary and secondary days.
(UAF,DAYMUSTBE,PRIMARY)
(UAF,DAYMUSTBE,SECONDARY)
Each terminal shall have Broadcasts enabled.
(TERM,BROADCAST,PROHIBITED)
(TERM,BROADCAST,REQUIRED)
General files are properly protected.
(DISK,FILEPROT,ABSOLUTLO)
Help and Library files are properly protected.
(DISK,HELPPROT,ABSOLUTLO)
No Username shall rely upon the Dialup indicator for access control.
(UAF,DIALUP,DISTRUST)
No device shall have a protection that does not allow owner access.
(DEVICE,PROTECTION,ABSOLUTLO)
No disk shall have a protection that allows other than System access.
(DISK,PROTECTION,ABSOLUTLO)
No terminal is set up for a shared system password.
(TERM,SYSPWD,PROHIBITED)
(TERM,SYSPWD,REQUIRED)
No terminal shall auto-login to a non-existent username.
(TERM,AUTOLOGIN,NOSUCHUSER)
No terminal shall have a protection that allows other than System and Owner access.
(TERM,PROTECTION,ABSOLUTLO)
No terminal shall have a protection that does not allow System and Owner access.
(TERM,PROTECTION,ABSOLUTHI)
No unauthorized use is made of the SYSUAF User Data field.
(UAF,USRDATOFF,PROHIBITED)
(UAF,USRDATOFF,REQUIRED)
Oracle DBMS files are properly protected.
(DISK,DBMSPROT,ABSOLUTLO)
Oracle Rdb VMS files are properly protected.
(DISK,RDBVMSPROT,ABSOLUTLO)
Processes detached under AC-11 are terminated after 1 hour.
(VMS,TTYTIMEOUT,ABSOLUTLO)
Queues are properly protected.
(QUEUE,PROTECTION,ABSOLUTLO)
SYS$COMMON: executable files are properly protected.
(DISK,SYSEXEPROT,ABSOLUTLO)
System parameter FILEPROT has a value that by default does not prevent SYSPRV access.
(VMS,FILEPROT,ABSOLUTLO)
System parameter LGI_BRK_LIM has a value no lower than 3.
(VMS,LGIBRKLIM,ABSOLUTLO)
System parameter LGI_HID_TIM is set between 600 and 3600.
(VMS,LGIHIDTIM,ABSOLUTHI)
System parameter LGI_PWD_TMO is set between 30 and 60 seconds.
(VMS,LGIPWDTMO,ABSOLUTHI)
(VMS,LGIPWDTMO,ABSOLUTLO)
System parameter LGI_RETRY_LIM is set between 1 and 5 times.
(VMS,LGIRETRYLM,ABSOLUTHI)
(VMS,LGIRETRYLM,ABSOLUTLO)
System parameter LGI_RETRY_TIM is set between 20 and 60 seconds.
(VMS,LGIRETRYTM,ABSOLUTHI)
(VMS,LGIRETRYTM,ABSOLUTLO)
System parameter MAXSYSGROUP is set to the value 8.
(VMS,MAXSYSGRP,ABSOLUTLO)
System parameter MVTIMEOUT has a value between 300 and 64000 seconds.
(VMS,MVTIMEOUT,ABSOLUTHI)
(VMS,MVTIMEOUT,ABSOLUTLO)
System parameter SECURITY_POLICY has the ALLOW_ALTERNATE_TRANSPORTS bit set to 1.
(VMS,SECPOLICY,PROHIBITED)
(VMS,SECPOLICY,REQUIRED)
System parameter SECURITY_POLICY has the ALLOW_CAPTIVE_SPAWN bit cleared.
(VMS,SECPOLICY,PROHIBITED)
(VMS,SECPOLICY,REQUIRED)
System parameter SECURITY_POLICY has the ALLOW_DISPLAY_POSTSCRIPT bit set to 1.
(VMS,SECPOLICY,PROHIBITED)
(VMS,SECPOLICY,REQUIRED)
System parameter SECURITY_POLICY has the ALLOW_MULTIPLE_DECW_USERS bit set to 1.
(VMS,SECPOLICY,PROHIBITED)
(VMS,SECPOLICY,REQUIRED)
System parameter SECURITY_POLICY has the ALLOW_SPAN_JOB_TREES bit cleared.
(VMS,SECPOLICY,PROHIBITED)
(VMS,SECPOLICY,REQUIRED)
System parameter SECURITY_POLICY has the COMPRESS_MAC_STRINGS bit cleared.
(VMS,SECPOLICY,PROHIBITED)
(VMS,SECPOLICY,REQUIRED)
System parameter SECURITY_POLICY has the GUARD_PASSWORDS bit set.
(VMS,SECPOLICY,PROHIBITED)
(VMS,SECPOLICY,REQUIRED)
System parameter SECURITY_POLICY has the IGNORE_EXTAUTH bit cleared.
(VMS,SECPOLICY,PROHIBITED)
(VMS,SECPOLICY,REQUIRED)
System parameter SECURITY_POLICY has the USE_POSIX_UIDGID bit clear.
(VMS,SECPOLICY,PROHIBITED)
(VMS,SECPOLICY,REQUIRED)
The Command Language Interpreter for each username must be DCL.
(UAF,CLIDCL,PROHIBITED)
(UAF,CLIDCL,REQUIRED)
(UAF,CLIMCR,PROHIBITED)
(UAF,CLIMCR,REQUIRED)
(UAF,CLIOTHER,PROHIBITED)
(UAF,CLIOTHER,REQUIRED)
(UAF,CLISHELL,PROHIBITED)
(UAF,CLISHELL,REQUIRED)
Usernames with full privilege to control the system shall require dual passwords.
(UAF,PWDNULL,SECPROHIB)
(UAF,PWDNULL,SECREQUIRE)
VMSmail files are properly protected.
(DISK,MAILPROT,ABSOLUTLO)
NIST SP 800-53 R2 CM-6(1)
Description  Automated Tests
Continuous Monitoring and Vulnerability Detection are conducted.
(USAGE,ASSESSMENT,CONTINUING)
LJK/Security starts whenever the system boots.
(VMS,STARTUP,MUSTHAVE)

Manual Inspection items for NIST SP 800-53 CM-6 assessment.

Manual Inspection items are useful mainly for CA-2 Security Assessments and CA-4 Security Certification. For most environments they are too laborious to include in CA-7 Continuous Monitoring.

Depending on FIPS 199 impact level and whether the Industrial Control Systems (ICS/SCADA) subset of 800-53 is chosen,  LJK/Security™ starter templates provide Manual Inspection items in the following groups:

Determination Statement Number Group Names
NIST SP 800-53 R2 CM-6
POLICY
NIST SP 800-53 R2 CM-6(1)
POLICY

Manual Invasive Testing items for NIST SP 800-53 CM-6 assessment.

Manual Invasive Testing items are useful mainly for CA-2 Security Assessments and CA-4 Security Certification. For most environments they are too laborious to include in CA-7 Continuous Monitoring. The level of effort required and the degree of invasiveness are so high (in most cases making up for lack of Common Criteria evaluation) that arrangement as a Common Control is almost always a requirement for execution.

Depending on FIPS 199 impact level and whether the Industrial Control Systems (ICS/SCADA) subset of 800-53 is chosen,  LJK/Security™ starter templates provide Manual Invasive Testing items in the following groups:

Determination Statement Number Group Names
NIST SP 800-53 R2 CM-6
TEST_VMS_PARAMETER
NIST SP 800-53 R2 CM-6(1)
TEST_ADD_CONFCENT

Descriptions above apply to  LJK/Security™ Version 3.0.

The notation NIST SP 800-53 above refers in particular to NIST Special Publication 800-53 Revision 2.

Those NIST Special Publications specify security standards in support of FISMA for US Federal Government civil activities.

Return to master list of NIST 800-53 controls.

Valid HTML 4.01! Viewable with Any Browser