Configuration Citations

Configuration Citations contain instructions for how a user should arrange or set-up a computer system, application, or component based upon the system, environment, and organizational requirements. They do contain mandates, but for the sake of simplicity they will be discussed on their own.
Configuration Citations must include a Configurable Item, Configuration Setting, and Asset which are used to match against or create both a UCF Common Control and Audit Item records. These citations are typically found in Secure Technical Implementation Guides, or STIGs, and at STIGViewer.com.
A typical Configuration Citation reads like this: "If the system is using LDAP for authentication or account information, the /etc/ldap.conf (or equivalent) file must be group-owned by security, bin, sys, or system." The etc/ldap.com is a configuration item found within the AIX product line (and many others).
It is best to use more generic, higher level configuration controls, when possible, however some citations are specific to a particular product, class, or category of assets. When a Common Control calls out a Configurable Item (CI) or Configuration Setting (CS) the corresponding control will be identifiable by term phrases in quotations.
(i.e.: 9610: Configure the "require AES encryption" setting to organizational standards.
The example above is only tied to a single Asset, making this a very specific CI control. Since Configuration Citations are encountered less frequently than other types of citations.