03.04.11: Information Location

Control Familly: Configuration Management

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications

N/A

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.04.11

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

CM-12

a. Identify and document the location of CUI and the system components on which the information is processed and stored.

b. Document changes to the system or system component location where CUI is processed and stored.

Discussion:

Information location addresses the need to understand the specific system components where CUI is being processed and stored and the users who have access to CUI so that appropriate protection mechanisms can be provided, including information flow controls, access controls, and information management.

Assessment Methods and Objectives

Examine [SELECT FROM: configuration management policy and procedures; configuration management plan; procedures for identification and documentation of information location; system audit records; architecture documentation; system design documentation; list of users with system and system component access; change control records; system component inventory; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with responsibilities for managing information location and user access; personnel with responsibilities for operating, using, or maintaining the system; personnel with information security responsibilities; system developers; system administrators]

Test [SELECT FROM: processes governing information location; mechanisms for enforcing policies and methods for governing information location]