NIST offers tips on security configuration management

Change is the one constant for most information systems and managing changes in configuration is an essential element of IT security.

“The configuration of an information system and its components has a direct impact on the security posture of the system,” the National Institute of Standards and Technology writes in newly released guidelines for configuration management.

“How those configurations are established and maintained requires a disciplined approach for providing adequate security," it adds.

Special Publication 800-128, Guide for Security-Focused Configuration Management of Information Systems, supports other publications and standards for configuration management, including SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations.

Security-focused configuration management helps enable appropriate levels of security to be maintained for a system and the management of security risks.

Changes, updates and patches in IT hardware and software almost always results in some adjustment to the system configuration. To ensure that the required adjustments do not harm the security posture of a system, a well-defined configuration management process that integrates information security is needed, according to NIST. While specific configuration controls are spelled out in other documents, this document provides guidance for implementing them.

The Configuration Management family of security controls defined in SP 800-53 includes:

  • CM-1 Configuration Management Policy and Procedures: A formal, documented configuration management policy with procedures for implementation.
  • CM-2 Baseline Configuration: A current baseline configuration of the information system.
  • CM-3 Configuration Change Control: Determining the types of changes to be controlled under the policy, approving those changes with explicit consideration for security impact, and documenting, reviewing and auditing approved changes.
  • CM-4 Security Impact Analysis: Analyzing changes to determine potential security impacts prior to change implementation.
  • CM-5 Access Restrictions for Change: Defining, documenting, approving, and enforcing physical and logical access restrictions associated with changes.
  • CM-6 Configuration Settings: Establishing, documenting and implementing mandatory configuration settings using security configuration checklists that reflect the most restrictive mode consistent with operational requirements; and identifying exceptions.
  • CM-7 Least Functionality: Configuring information systems to provide only essential capabilities and specifically prohibiting or restricting the use of functions, ports, protocols, and services.
  • CM-8 Information System Component Inventory: Developing, documenting, and maintaining an accurate inventory of information system components that provides the level of granularity necessary for tracking and reporting.
  • CM-9 Configuration Management Plan: Developing, documenting, and implementing a configuration management plan addressing roles, responsibilities, processes and procedures throughout the system development life cycle.

About the Author

William Jackson is a Maryland-based freelance writer.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected