This bulletin summarizes the information presented in NIST Special Publication (SP) 800-128, Guide to Security-Focused Configuration Management of Information Systems. The publication was written by Arnold Johnson, Kelley Dempsey, and Ron Ross of NIST, and by Sarbari Gupta and Dennis Bailey of Electrosoft. NIST SP 800-128 explains the fundamental concepts associated with security-focused configuration management (SecCM) and its relationship with general configuration management of information systems. The guidelines help organizations develop a well-defined process for managing and controlling secure system configurations, and for managing risks in information systems. The bulletin discusses the contents of the publication, including general concepts, processes, and activities of configuration management, the integration of security-focused configuration management into the configuration management process, and the role of risk management. References are provided to NIST publications that support configuration management and the risk-based management of information systems.
This bulletin summarizes the information presented in NIST Special Publication (SP) 800-128, Guide to Security-Focused Configuration Management of Information Systems. The publication was written by Arnold Johnson, Kelley Dempsey, and Ron Ross of NIST, and by Sarbari Gupta and Dennis Bailey of...
See full abstract
This bulletin summarizes the information presented in NIST Special Publication (SP) 800-128, Guide to Security-Focused Configuration Management of Information Systems. The publication was written by Arnold Johnson, Kelley Dempsey, and Ron Ross of NIST, and by Sarbari Gupta and Dennis Bailey of Electrosoft. NIST SP 800-128 explains the fundamental concepts associated with security-focused configuration management (SecCM) and its relationship with general configuration management of information systems. The guidelines help organizations develop a well-defined process for managing and controlling secure system configurations, and for managing risks in information systems. The bulletin discusses the contents of the publication, including general concepts, processes, and activities of configuration management, the integration of security-focused configuration management into the configuration management process, and the role of risk management. References are provided to NIST publications that support configuration management and the risk-based management of information systems.
Hide full abstract
Keywords
configuration management; Federal Information Security Management Act; FISMA; information security; information systems; information technology (IT); NIST Special Publications; risk management; Risk Management Framework; SecCM; Security Content Automation Protocol; security controls; security plans; security policies; threats; vulnerabilities