• Configuration Management Policy and Procedures: Organizations should develop and maintain a configuration management policy that outlines the objectives, scope, roles, and responsibilities for managing system configurations. Procedures should be established to guide personnel on the implementation and enforcement of configuration management controls.
• Configuration Baseline: Organizations should establish a documented baseline configuration for their information systems. The baseline represents the approved and known state of the system, including hardware, software, firmware, and associated documentation. It serves as a reference point for managing changes and detecting unauthorized modifications.
• Configuration Change Control: Changes to the system configuration should be managed through a formal change control process. This process includes evaluating proposed changes, assessing their impact on security and functionality, obtaining proper authorization, and documenting the changes made. Change control procedures help ensure that only approved and authorized modifications are made to the system.
• Configuration Monitoring: Organizations should implement mechanisms to monitor and track changes to the system configuration. This includes the use of automated configuration management tools or manual processes to detect unauthorized changes, deviations from the baseline, and configuration drift. Monitoring ensures that the system remains in a secure and compliant state.
• Configuration Integrity Verification: Periodic verification of the integrity of the system's configuration should be performed to detect unauthorized changes or tampering. This involves comparing the current configuration against the established baseline and verifying the integrity of critical files and settings.
• Configuration Documentation: Organizations should maintain accurate and up-to-date documentation of the system's configuration, including hardware, software, network connections, and security settings. Documentation should include detailed information about the system components, their relationships, and any relevant security parameters or controls.
• Configuration Management for Information System Components: Configuration management should encompass all components of the information system, including hardware, software, firmware, and network devices. It involves managing configurations for individual components as well as their interactions within the system architecture.
• Configuration Management for Security Controls: Security controls implemented within the system should be subject to configuration management. This includes managing the configurations of firewalls, intrusion detection/prevention systems, access control mechanisms, encryption settings, and other security-related components.

By implementing effective configuration management controls, organizations can reduce the risk of unauthorized changes, ensure system integrity, and facilitate incident response and recovery. It is important for organizations to assess their systems against the recommended controls in NIST 800-53, tailor them to their specific needs, and establish robust configuration management processes and procedures.

100 + NIST 800-53 Templates Available for Download for Federal Contractors

The solution for federal contractors is the Arlington Security Portal (ASP), an online repository of world-class, industry leading security and privacy policies & procedures, programs, plans – and other highly essential documents & templates developed specifically on NIST SP 800-53, Revision 5.

From Beginning to End, Complete Project Management for NIST RMF

With Arlington, we can manage your entire NIST RMF A&A process from beginning to end (i.e., from the initial scoping & gap assessment to post-Authorization to Operate (ATO) activities), providing essential services for getting you to the finish line in terms of your ATO.  Core services and solutions offered include the following:

• Scoping & Gap (i.e., Readiness) Assessments
• Remediation Services (Policy and Procedures writing)
• Remediation Services (Technical and Operational)
• System Security Plan (SSP) Development
• Security Assessment Reports (SAR)
• Continuous Monitoring (ConMon) Services

About Arlington

We are Arlington, a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®.  Learn more at arlingtonintel.com