Contractors or vendors that work with the Department of Defense (DoD) need to meet specific cybersecurity regulations. The National Institute of Standards and Technology (NIST) has developed a guide to assist businesses with adherence to Defense Federal Acquisition Register Supplement (DFARS) standards. The fourth of the 14 Families of Requirements for NIST 800-171 compliance is configuration management.
What is Configuration Management in Terms of NIST 800-171?
Configuration management forces inventory management and tracking throughout the network environment. It mandates a ticketing and approval system to ensure that changes to systems and tools are approved on a role-required basis and are acquired, incorporated and utilized securely and purposefully.
Hardware, software, firmware, and documentation systems are included here. Role-based configuration ensures that nothing extraneous is accessed or incorporated, helping to prevent network or systems vulnerabilities. The requirement also encourages enforcement through endpoint security (thumb drives, software installs, etc.). You’ll need to have a ticketing system in place for configuration management, as well as an endpoint security solution for endpoint enforcement. A test or staging environment is also recommended for testing updates and upgrades. The principle of least functionality should be applied for all configuration and application considerations. Configuration Management consists of 2 Basic and 7 Derived Requirements.
- 3.4.1 Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
- 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational systems.
- 3.4.3 Track, review, approve or disapprove, and log changes to organizational systems.
- 3.4.4 Analyze the security impact of changes prior to implementation.
- 3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems
- 3.4.6 Employ the principle of least functionality by configuring organizational systems to provide only essential capabilities.
- 3.4.7 Restrict, disable, or prevent the use of nonessential programs, functions, ports, protocols, and services.
- 3.4.8 Apply deny-by-exception (blacklisting) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
- 3.4.9 Control and monitor user-installed software.
To learn more about NIST SP 800-171 Compliance please visit NIST.SP.800-171r2.pdf and be sure to review the assessment guide:SP 800-171A, Assessing Security Requirements for CUI | CSRC.
Our extensive partner network ensures that no matter what, we can assist you with all your compliance needs. Contact us here.