How to know if you are equipped for configuration management?

The NIST SP 800 171 cybersecurity architecture covers 14 control families, including configuration administration. Adherence to the DFARS 252.204-7012 clause requires adherence to the internationally recognized standard. This is required of any company that is a part of the Defense Industrial Base (DIB), which numbers 200,000 people, or any company that wants to win RFPs from the US Department of Defense. With new CMMC government contracting regulations, it’s essential for DoD companies to be equipped with configuration management. 

What is configuration management, and how does it work?

Configuration management and change administration are similar in specific ways, but only in innovation and data governance. When change is the only permanent and enterprises must constantly adapt and upgrade their data systems to meet demand, proper upkeep and administration of systems and their settings are incredibly crucial.

The rules and processes implemented to generate or sustain information security and the technologies that produce, store, or transport it are referred to as configuration administration. It pertains to information throughout its entire existence, from when it is acquired initially to finally destroyed. As a result, configuration management applies to the whole spectrum of data-bearing devices, including servers, libraries, connections, and software.

Configuration management is critical for any business, particularly those that make up the DIB. This proactive technique goes well beyond ordinary patch maintenance to eliminate a slew of tedious tasks. The goal is to minimize downtime caused by system updates or modifications, eliminate execution problems, and keep data safe while transferring from one platform to another.

Here’s what a good configuration management strategy should include, according to NIST SP 800 171 standards:


As with any privacy or compliance-related action, planning has a significant effect on whether a project succeeds or fails. New technology adoption and any modifications to current IT systems cannot occur in a vacuum, and there must be a precise synchronization between the program and the business’s goals and duties.

The configuration administration approach begins with planning. It entails creating a policy and set of rules to regulate change and defining which teams or personnel will be in charge of what. These rules and practices must be current and aligned with the company’s particular technological and operational surroundings.


Security executives must set a baseline configuration after completing the first planning and preparation step. This will establish the minimal criteria that the business must reach to comply with internal rules and external regulatory requirements such as DFARS vs CMMC 252.204-7012.

An authorized foundation should cover the system in consideration and its associated components. All critical elements, including configuration settings, projected system loads, needed patch levels, and how data is literally and logically organized, must be addressed in a secure baseline. Interoperability and homogeneity between systems may be significantly aided by automation.


Because of the ever-changing nature of innovation, changes frequently occur beyond the organization’s control. This is notably true in the age of software-as-a-service and cloud hosting. Still, it also applies to current operating systems, which organizations must update in most situations. As a result, there must be a means to keep the settings safe.

After defining the baseline, security executives must put in place the controls to enforce their principles and methods. Any system updates must occur in a controlled setting, with administrative controls and procedures in place to prevent unauthorized or undocumented changes.