Skip to main content

Configuration Management Plan

SAMPLE OUTLINE FOR A SECURITY CONFIGURATION MANAGEMENT PLAN

The following is an outline for developing a SecCM Plan for an organization and/or an information system. Organizations are encouraged to adapt the outline to make it suitable for their operational environment.

INTRODUCTION

BACKGROUND

[Overview of SecCM and its purpose]

OVERVIEW OF SYSTEM

[System description; may reference relevant section of System Security Plan]

System Mission

Data Flow Description

System Architecture

System Administration and Management Activities

PURPOSE OF THIS DOCUMENT

[Use of this document]

SCOPE

[Applicability of this plan]

APPLICABLE POLICIES AND PROCEDURES

[List of applicable federal and organizational policies, standards, and procedures]

SecCM PROGRAM

SecCM ROLES AND RESPONSIBILITIES

[Description of roles/responsibilities for SecCM]

SecCM PROGRAM ADMINISTRATION

[Policies, Procedures, CCB]

SecCM Policies and Procedures

(included herein or by reference)

Configuration Control Board Functions

Establishment of Change Control Board at the Organization Level

Establishment of Change Control Board at the System Level

Schedules and Resource Requirements

SecCM TOOLS

[Tools and Archival locations for CCB]

SCM Tools

SCM Library

SecCM RETENTION, ARCHIVING, STORAGE AND DISPOSAL

[Requirements for managing historical information on CIs, changes, etc.]

SecCM ACTIVITIES

CONFIGURATION IDENTIFICATION

Types of Configuration Items (CI)

[Description of categories of CIs, such as HW, Documentation, SW and scripts, Web pages]

Identification Criteria

[How to determine which Information System Components will be included with which CIs]

Configuration Item Labeling

[Naming convention for CIs]

CONFIGURATION BASELINING

[Defining the information to be included in baseline for each CI]

Identification of Applicable Common Secure Configurations

Information System Component CI Baselines

Non-Component Object CI Baselines

CONFIGURATION CHANGE CONTROL

[Requirements related to Configuration Change Control]

Handling of Scheduled, Unscheduled, and Unauthorized Changes

Security Impact Analysis

Testing

Submission of Findings to the Change Control Board

Change Control Board Evaluation and Approval Process

Recording Requirements

SecCM MONITORING

[Requirements related to monitoring baseline configurations and adherence to SecCM policies]

Organization Level Tools

System Level Tools

Monitoring Requirements and Frequencies

SecCM REPORTING

[Requirements related to reporting SecCM monitoring results and statistics to appropriate organizational staff]

Report Recipients

Reviewing Reports

Suggested SecCM Plan APPENDICES:

CCB Charter

Change Request Form Template

Security Impact Analysis Report Format

References