NIST offers tips on security configuration management

Change is the one constant for most information systems and managing changes in configuration is an essential element of IT security.

“The configuration of an information system and its components has a direct impact on the security posture of the system,” the National Institute of Standards and Technology writes in newly released guidelines for configuration management.

“How those configurations are established and maintained requires a disciplined approach for providing adequate security," it adds.

Special Publication 800-128, Guide for Security-Focused Configuration Management of Information Systems, supports other publications and standards for configuration management, including SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations.

Security-focused configuration management helps enable appropriate levels of security to be maintained for a system and the management of security risks.

Changes, updates and patches in IT hardware and software almost always results in some adjustment to the system configuration. To ensure that the required adjustments do not harm the security posture of a system, a well-defined configuration management process that integrates information security is needed, according to NIST. While specific configuration controls are spelled out in other documents, this document provides guidance for implementing them.

The Configuration Management family of security controls defined in SP 800-53 includes:

  • CM-1 Configuration Management Policy and Procedures: A formal, documented configuration management policy with procedures for implementation.
  • CM-2 Baseline Configuration: A current baseline configuration of the information system.
  • CM-3 Configuration Change Control: Determining the types of changes to be controlled under the policy, approving those changes with explicit consideration for security impact, and documenting, reviewing and auditing approved changes.
  • CM-4 Security Impact Analysis: Analyzing changes to determine potential security impacts prior to change implementation.
  • CM-5 Access Restrictions for Change: Defining, documenting, approving, and enforcing physical and logical access restrictions associated with changes.
  • CM-6 Configuration Settings: Establishing, documenting and implementing mandatory configuration settings using security configuration checklists that reflect the most restrictive mode consistent with operational requirements; and identifying exceptions.
  • CM-7 Least Functionality: Configuring information systems to provide only essential capabilities and specifically prohibiting or restricting the use of functions, ports, protocols, and services.
  • CM-8 Information System Component Inventory: Developing, documenting, and maintaining an accurate inventory of information system components that provides the level of granularity necessary for tracking and reporting.
  • CM-9 Configuration Management Plan: Developing, documenting, and implementing a configuration management plan addressing roles, responsibilities, processes and procedures throughout the system development life cycle.

About the Author

William Jackson is a Maryland-based freelance writer.


  • automated processes (Nikolay Klimenko/

    How the Army’s DORA bot cuts manual work for contracting professionals

    Thanks to robotic process automation, the time it takes Army contracting professionals to determine whether prospective vendors should receive a contract has been cut from an hour to just five minutes.

  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

Stay Connected