Skip to main content
Configuration Management

Configuration Management Deep Dive

Deep Dive into Changes to the Configuration Management Family in FedRAMP Revision 5 

The FedRAMP Program Management Office (PMO) has released new proposed baselines based on NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, (NIST SP 800-53 Rev5). Here we will take a closer look at the changes to the Configuration Management control family that the new baselines bring.

 

Considerable Changes to the Low, Moderate, and High baselines include:

  • Policies and procedures will now need to be designated as either organizational, mission or business process, or system-level
  • A requirement to designate a specific official to manage the development, documentation, dissemination of policies and procedures
  • A requirement to update policies and procedures after specified events
  • A requirement to analyze changes to the information system to determine potential privacy impacts as well as security impacts prior to implementing change
  • The requirement to document configuration settings using security configuration checklists has changed to using specific common secure configurations
  • An addition of excluding duplicate accounting of components or components assigned to any other system to the inventory development requirement

 

Considerable Changes to the Moderate and High baseline include:

  • An addition of a parameter requiring documenting configuration management mechanisms that are used to maintain an up-to-date, complete, accurate, and readily available baseline configuration of the information system 
  • An addition of a parameter for documenting the number of previous versions of baseline configuration to retain 
  • An addition of a parameter for designating security and privacy representatives 
  • An addition of a parameter specifying the automated mechanisms used for enforcing access restrictions and supporting auditing of the enforcement actions
  • An addition of a parameter for specifying the automated mechanisms used to centrally manage, apply, and verify configuration settings of system components
  • An addition of a parameter for specifying the automated mechanisms used to detect the presence of unauthorized hardware, software, and firmware components within the information system
  • An addition of a requirement to specify personnel required to review and approve the configuration management plan 
  • An addition of a new control with a requirement to identify and document the location of specific information and the specific system components on which the information resides; the users who have access; and changes to the location where the information resides 
  • An addition of a new control with a requirement to use automated tools to identify specific information by information type on specific system components to ensure controls are in place to protect organizational information and individual privacy 

 

Considerable Changes to the High baseline include:

  • An addition of a new parameter to specify the automated mechanisms used to document proposed changes to the information system, notify authorities of proposed changes to the information system and request change approval, highlight proposed changes to the information system that have not been approved or disapproved, prohibit changes to the information system until designated approvals are received, document all changes to the information system, and notify personnel when approved changes to the information system are completed 
  • An addition of a new parameter to define the actions taken when unauthorized changes are made to configuration settings 
  • An addition of a parameter defining automated mechanisms used to maintain the currency, completeness, accuracy, and availability of the inventory of system components  

 

Check back here for more deep dives into changes in each control family and updates on the proposed baselines from the FedRAMP PMO. Contact InfusionPoints for assistance with your FedRAMP journey. https://lz.infusionpoints.com/fedramp