NIST 800-171 | CONFIGURATION MANAGEMENT

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Safeguarding Controlled Unclassified Information (CUI) when working with a federal customer is critical to federal agencies and can directly impact your business. NIST SP 800-171 provides recommended minimal controls for protecting CUI. The requirements apply to all of the non-federal systems that process, store, or transmit CUI, or provide security protection for such components.

Requirements are specifically broken out into "Families" with sub-requirements underneath each family.

Configuration Management

3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

NIST Special Publication 800-128 provides guidance on security-focused configuration management

3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational information systems.

This requirement establishes and maintains baseline configurations for systems and system components including for system communications and connectivity.

Baseline configurations include information about:

• System components

• Network topology

• Logical placement within the system architecture

Organizations can implement centralized system component inventories that include components 897 from multiple organizational systems.

NIST Special Publications 800-70 and 800-128 provide guidance on security configuration settings

3.4.3 Track, review, approve/disapprove, and audit changes to information systems.

Configuration change controls for organizational systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems.

Configuration change control includes:

• Changes to baseline configurations for components and configuration items of systems

• Changes to configuration settings for information technology products

• Unscheduled and unauthorized changes

• Changes to remediate vulnerabilities.

Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes to systems.

NIST Special Publication 800-128 provides guidance on configuration change control

3.4.4 Analyze the security impact of changes prior to implementation.

Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications.

Security impact analysis may include

• Reviewing security plans to understand security requirements and reviewing system design documentation to understand the implementation of safeguards

• How specific changes might affect the safeguards.

Security impact analyses may also include risk assessments to better understand the impact of the changes and to determine if additional safeguards are required

NIST Special Publication 800-128 provides guidance on configuration change controland security impact analysis

3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.

Any changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems.

Organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes, including upgrades and modifications

Access restrictions include:

• Physical and logical access control requirements

• Workflow automation

• Media libraries

• Abstract layers

• Change windows

NIST Special Publication 800-128 provides guidance on configuration change control

3.4.6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities.

Organizations disable unused or unnecessary physical and logical ports and protocols to prevent unauthorized connection of devices, transfer of information, and tunneling.

Organizations can utilize:

• Network scanning tools

• Intrusion detection and prevention systems

• End-point protections such as firewalls and host-based intrusion detection systems

3.4.7 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.

Restricting the use of nonessential software includes:

• Restricting the roles allowed to approve program execution

• Prohibiting auto-execute

• Program blacklisting and whitelisting

• Restricting the number of program instances executed at the same time

3.4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

The process used to identify software programs that are not authorized to execute on systems is commonly referred to as blacklisting.

The process used to identify software programs that are authorized to execute on systems is commonly referred to as whitelisting.

Whitelisting is the stronger of the two policies for restricting software program execution.

Organizations consider verifying the integrity of white-listed software programs using:

• Cryptographic checksums

• Digital signatures

• Hash functions

NIST Special Publication 800-167 provides guidance on application whitelisting

3.4.9 Control and monitor user-installed software.

To maintain control over the types of software installed, organizations identify permitted and prohibited actions regarding software installation.

The policies organizations select governing user-installed software may be organization-developed or provided by some external entity.

For further Information and Demo, please contact us: