STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

CM-12

Configuration ManagementRev 5organization

Information Location

Baselines:ModerateHigh

Control Statement

a. Identify and document the location of [Assignment: information] and the specific system components on which the information is processed and stored; b. Identify and document the users who have access to the system and system components where the information is processed and stored; and c. Document changes to the location (i.e., system or system components) where the information is processed and stored.

Supplemental Guidance

Information location addresses the need to understand where information is being processed and stored. Information location includes identifying where specific information types and information reside in system components and how information is being processed so that information flow can be understood and adequate protection and policy management provided for such information and system components. The security category of the information is also a factor in determining the controls necessary to protect the information and the system component where the information resides (see [FIPS 199](#628d22a1-6a11-4784-bc59-5cd9497b5445) ). The location of the information and system components is also a factor in the architecture and design of the system (see [SA-4](#sa-4), [SA-8](#sa-8), [SA-17](#sa-17)).

Related Controls (16)

AC-2AC-3AC-4AC-6AC-23CM-8PM-5RA-2SA-4SA-8SA-17SC-4SC-16SC-28SI-4SI-7

CCI Identifiers (6)

CCI-003982Identify and document the location of the organization-defined information on which the information is processed and stored.CCI-003983Identify and document the specific system components on which the organization-defined information is processed and stored.CCI-003984Defines the information on which the location and specific system components are processed and stored.CCI-003985Identify and document the users who have access to the system where the information is processed and stored.CCI-003986Identify and document the users who have access to the system components where the information is processed and stored.CCI-003987Document changes to the location (i.e., system or system components) where the information is processed and stored.

Linked STIG Checks (0)

No STIG checks reference this control.