Domain 7 of 8 · Chapter 3 of 15

Configuration Management

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Certified Information Systems Security Professional premium course — no separate purchase.

Included in this chapter:

  • What configuration management is, and what it is not
  • Baselines, benchmarks, provisioning, and drift
  • Exam-pattern recognition

Configuration management vs change management vs control-baseline selection

DimensionConfiguration management (CM)Change managementControl-baseline selection
Core questionWhat state is the system in, and does it match the approved baseline?Is this proposed modification approved to proceed?Which security controls apply to this system?
Authoritative sourceNIST SP 800-128; SP 800-53 CM familyNIST SP 800-128 (Controlling Changes phase); CCB processNIST SP 800-53B; FIPS 199/200
Meaning of 'baseline'Approved secure configuration of a system/CI (CM-2)The state a change moves the system from and toLow/moderate/high control set per impact level
Primary artifactSecure baseline + configuration-item inventoryChange request, impact analysis, CCB approval, back-out planTailored control list
Failure it preventsConfiguration drift and unknown, unhardened stateUnauthorized or unanalyzed changes reaching productionUnder- or over-protecting a system relative to its impact

Cheat sheet

  • Security-focused configuration management runs in four phases
  • A baseline configuration is a formally approved state changeable only through change control
  • Configuration management is the technical state; change management is the approval process
  • A configuration baseline is not a control baseline
  • Provision new systems from the approved secure baseline, not from defaults
  • Least functionality (CM-7) shrinks attack surface at provisioning time
  • Adopt a recognized secure-configuration benchmark instead of inventing one
  • NIST SP 800-70 runs the National Checklist Program Repository
  • Configuration drift is divergence from the approved baseline
  • Monitoring proves a once-secure system is still secure
  • Automated baseline enforcement is the durable fix for recurring misconfiguration
  • Automation gives baseline uniformity across a fleet
  • You cannot manage the configuration of components you have not inventoried
  • A configuration item is the discrete target of configuration control
  • The Controlling Changes phase analyzes security impact before a change lands

Unlock with Premium — includes all practice exams and the complete study guide.

Also tested in

References

  1. NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems Whitepaper
  2. NIST glossary: baseline configuration Whitepaper
  3. NIST SP 800-53B, Control Baselines for Information Systems and Organizations Whitepaper
  4. NIST SP 800-53 Rev. 5 control CM-8, System Component Inventory Whitepaper
  5. NIST National Checklist Program (NCP), per SP 800-70 Whitepaper
  6. CIS Benchmarks
  7. NIST SP 800-53 Rev. 5 control CM-7, Least Functionality Whitepaper