Products and information systems are increasingly complex as are the processes used to develop and operate them. As a result, there’s an increased probability of configuration errors and/or bugs.

These errors and bugs can put critical services and data at risk, which may result in unsafe products, lost business, reputation damage, or operational disruptions. 

Having a configuration management plan can reduce these risks and improve the overall security posture of the organization. Keep reading to get a definition, example, and template of a configuration management plan.

What is configuration management?

Configuration management is the set of activities focused on establishing and maintaining the integrity of products and systems, including hardware, software, applications, infrastructure, and documentation. These activities control the processes for initializing, changing, and monitoring the configurations of products and systems throughout the development life cycle.

One of these activities is developing a configuration management plan. Let’s take a closer look at what that is below.

What is a configuration management plan?

A configuration management plan is a comprehensive description of the roles, responsibilities, processes, and procedures that apply when managing the configuration of products and systems.

It describes how to advance changes through change management processes, update configuration settings and baselines, maintain component inventories, and develop, release, and update key documents. It also describes control development, test, and operational environments.

While every configuration management plan is unique, it should specify the following:

• Configuration or Change Control Board (CCB): a group of qualified personnel who are responsible for the process of controlling and approving changes throughout the development and operational life cycle of products and systems
• Configuration Item Identification: a methodology for selecting and naming configuration items that need to be placed under configuration management
• Configuration Change Control: a process for managing updates to the baseline configurations for the configuration items
• Configuration Monitoring: a process for assessing or testing the level of compliance with the established baseline configuration and mechanisms for reporting on the configuration status of items placed under configuration management

What is the purpose of a configuration management plan?

Your organization’s products and systems are constantly changing to keep pace with evolving threats or business functions. For example, your product or system may get updated hardware, new software capabilities, or patches for correcting an error to an existing component. Implementing such changes results in some adjustment to the system configuration, which can impact the security of that system and your entire organization.

A configuration management plan that clearly defines the processes and procedures for establishing and maintaining secure system configurations and who is responsible for managing and controlling those processes and procedures can help manage risk associated with those systems, enhancing the security posture of those systems and your entire organization. 

Since many vulnerabilities can be traced to software flaws and misconfigurations of system components, a configuration management plan can help control vulnerabilities and unlock a whole range of benefits including:

• facilitating asset management
• improving incident response, help desk, disaster recovery and problem solving
• aiding in software development and release management
• supporting compliance with policies and preparation for audits 

Why is a configuration management plan important for NIST 800-53 compliance?

Creating and maintaining a configuration management plan supports the implementation of the Configuration Management family of controls defined in NIST 800-53. We’ll take a closer look at two below. 

CM-1 requires organizations to develop, document, and disseminate:

• A configuration management policy: This policy should cover the following: purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance.
• Configuration management procedures: These procedures should facilitate the implementation of the configuration management policy and associated configuration management controls.

A configuration management plan satisfies the requirements in a configuration management policy and defines the procedures and processes for how configuration management is used to support system development life cycle activities.

CM-9 specifically requires organizations to develop, document, and implement a configuration management plan for the system that:

• Addresses roles, responsibilities, and configuration management processes and procedures
• Establish a process for identifying configuration items throughout the system development life cycle and for managing the configuration of those items
• Define the configuration items for the system and place them under configuration management

This plan should also be reviewed and approved by assigned personnel and protected from unauthorized disclosure and modification.

How to create a configuration management plan

Now it’s time to start formulating and building out your configuration management plan. To guide you through the process, we’ve broken the process down into seven key steps. We’ve also provided an example and template below to help get you started.

1. Define roles and responsibilities.

To start, define the roles that are relevant to the configuration management program along with their responsibilities. For example, a program manager may be responsible for developing configuration management policies and procedures and overseeing the implementation of the program for the entire organization or an individual system. 

Other key roles may include:

• Chief Information Officer
• System Administrator
• System or Software Developer
• System User
• CCB member/authorized personnel

2. Identify and prioritize critical systems that will require change and configuration management. 

The next step is identifying and prioritizing what systems and products are required to carry out mission and business processes and must be configured in a particular manner to do so. 

3. Identify assets related to critical systems. 

Next, identify the discrete assets that compose each critical system, such as servers, workstations, routers, or applications. These assets are known as system components.

This list will become your system component inventory and provide a comprehensive view of the components that need to be managed and secured in order to maintain the security of your critical systems.

4. Identify the configuration items of the systems that will require configuration management. 

Now, group system components and non-component objects, such as documents, network diagrams, scripts, custom code, and various other elements that compose the system, that require configuration management into configuration items. The configurations of these items will be managed as one.

For example, all the desktops running the same type and version of an operating system may be grouped into one configuration item.

5. Determine a configuration baseline for each system. 

Next, develop a secure baseline configuration for the system and its associated configuration items and components. This baseline is the most secure state a system can be in while meeting operational requirements and constraints like costs.  It may address configuration settings, software loads, patch levels, how the information system is physically or logically arranged, how various security controls are implemented, and documentation. 

Once reviewed and approved, implement the configuration baseline. 

6. Develop a configuration management process.

Next, develop a process for how system changes will be managed in order to maintain the approved baseline of the system above.

This process should define the following:

• How changes are formally identified
• How they are proposed
• How they are reviewed
• How they are analyzed for security impact and tested
• How they are approved prior to implementation 
• Who they are reviewed and approved by
• Who is deploying these changes to production
• How segregation of duties between development and deployment are implemented

7. Identify tools to use to implement and monitor configurations. 

Automated tools can not only help your organization implement configurations but also monitor them to ensure a system remains secure (ie. adhering to organizational policies, procedures, and the approved secure baseline configuration). These tools can automatically identify when the system is not consistent with the approved baseline configuration due to undocumented system components, misconfigurations, vulnerabilities, and unauthorized changes and alert you that remediation actions are necessary.

Now that you understand the step-by-step process for developing a configuration management plan, let’s look at an example.

Configuration management plan example

A configuration management plan is typically broken down into three parts. The first introduces configuration management and its purpose, provides an overview of the system, and outlines the purpose and scope of the document as well as applicable policies and procedures.

The second details the configuration management program, including roles and responsibilities, policies and procedures and how they’re administered, and any tools used.

The third details configuration management activities, which typically includes configuration identification, configuration baselining, configuration change control, monitoring, and reporting. 

NASA, Centers for Disease Control and Prevention, and US Department of Housing and Urban Development all published configuration management plan examples that follow this standard outline and format. 

Below is a more detailed outline for developing a configuration management plan. 

1. General information
	1.1 Background
	1.2 Overview of system
	1.3 Purpose of document

2. Configuration management program
	2.1 Roles and responsibilities 
	2.2 Program administration
	2.3 Tools

3. Configuration management activities
	3.1 Configuration identification
	3.2 Configuration baselining
	3.3 Configuration change control
	3.4 Monitoring
	3.5 Reporting

Configuration management plan template

NIST 800-53 recommends using templates to help ensure the consistent and timely development and implementation of configuration management plans. Download the free template below, then adapt it for your organization and publish it to your personnel for review quickly and easily. 

How Secureframe can help with security-focused configuration management 

Secureframe can help simplify the process of configuration management and NIST 800-53 compliance overall. With Secureframe, you can:

• Set up NIST 800-53 policies and procedures fast using our library of policies and procedures
• Leverage our pre-built tests and controls, or create custom upload tests and custom controls for your organization’s unique processes, policies, and processes to comply with NIST 800-53.
• Automatically test controls via continuous configuration data collection from 150+ integrations
• Stay current with any changes to NIST 800-53 requirements

Schedule a demo to learn how Secureframe can help you achieve and maintain NIST 800-53 compliance across your business.