CM-12 Information Location

Configuration Management

Moderate High New in Rev 5

Description

Identify and document the location of [Assignment: organization-defined parameters] and the specific system components on which the information is processed and stored; Identify and document the users who have access to the system and system components where the information is processed and stored; and Document changes to the location (i.e., system or system components) where the information is processed and stored.

Supplemental Guidance

Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see SA-04, SA-08, SA-17).

Changes from Rev 4

New control in Rev 5.

MITRE ATT&CK Techniques (2)

ATT&CK v16.1

Techniques mitigated by this control, mapped via CTID.

Collection 2

Collection

T1005 Data from Local System T1025 Data from Removable Media

Compliance Mappings

ISO 27001:2022

A.5.9

ISO 27002:2022

5.9

COBIT 2019

APO14BAI09BAI10

CIS Controls v8

CIS 1CIS 1.1CIS 1.3CIS 1.4CIS 1.5CIS 2CIS 2.1CIS 2.4CIS 3CIS 3.2CIS 3.8

NIST CSF 2.0

ID.AM-03ID.AM-07

SOC 2 TSC

C1.1CC6.1-POF1

PCI DSS v4.0.1

12.53.13.23.5

FINOS CCC

CCC-C06CCC-C16

ISO 42001:2023

A.4.2A.7.3

NIS2 Directive

Art. 21(2)(i)

PRA Operational Resilience

SS1/21-3.1SS1/21-5.2SS2/21-14.1

MAS TRM

APRA CPS 234

Para 21

ASD Essential Eight

E8-2 ML3

BSI IT-Grundschutz

NET.1.2

ANSSI

Hygiene.5SecNumCloud.9.1

FINMA Circular 2023/1

IV.A(28)IV.A(30)IV.A(31)IV.D(78)IV.D(79)

OSFI B-13

B-13.2.1

EU GDPR

Art.25(1)Art.30(1)Art.35(7)(a)Art.5(1)(c)Art.5(1)(e)Rec.78

EU DORA

Art.28(4)Art.8(1)Art.8(4)

BIO2

5.9

RBI CSF

Annex1.1

FISC Security Guidelines

FISC.O9FISC.T5

LGPD + BCB 4893

BCB.Art.13BCB.Art.14BCB.Art.20LGPD.Art.6

HKMA TM-E-1

TME1.12.4TME1.7.2

EU CRA

CRA.II.1

SAMA CSF

2.1

NCA ECC

2-1

UAE IA

CBB TM

TM-15TM-9

Qatar NIA

AMOS

CBUAE

CR-5

CBE CSF

CRM-2CTO-2

SA JS2

JS2-6.1JS2-8.2

CBN CSF

Part3.1Part3.4

BoG CISD

CISD-VCISD-XII

POPIA

s10s14s17

BoM CTRM

2.1

IOSCO Cyber Resilience

ID-1ID-2ID-4

BCBS 239

Principle 2Principle 4

CPMI-IOSCO PFMI

CG.ID

FFIEC IS

II.C.5

NYDFS 500

500.13

ECB CROE

CROE.2.2.2

EBA ICT Guidelines

3.3.2

SEBI CSCRF

ID.AM

BOT Cyber Resilience

Ch2.1

CMMC 2.0

CBEST

CBEST.3

ISAE 3402

Clause 9

Solvency II

DR.266-DataSecEIOPA-Cloud-GL9EIOPA-ICT-4.3

Lloyd's Minimum Standards

MS1.1MS13.1MS2.1MS6.1MS8.7MS9.1

NAIC Insurance Data Security

34-asset

PRA SS1/23

P1.1P3.2

HITRUST CSF v11

07.a

ISO 27799

8.1

NHS DSPT

NDG-5.3NDG-8.3