The Configuration Management family is the fourth family in the NIST 800-171 standard. This family focuses on the requirements that surround your existing network protocols and safety procedures.

Why is Configuration Management important?

In order for us to best protect our IT systems and network, we have to know what is included in our system. What servers do we have? How many computers are connected? Do we have printers, copiers, webcams, or other hardware connected? Do we allow mobile devices to connect to our system? We need to identify and control the hardware and software that is installed and maintained on our system. If we do not know what is on our system then we cannot control what or who may be able to access it and the data we store. Knowing our system configuration keeps us aware of the different points of access to our system and helps us to better be able to protect these points of access from becoming points of vulnerability that would expose us to higher cybersecurity risk.


What is Configuration Management about in NIST 800-171?

The Configuration Management family contains nine security requirements. Some of the main points that are addressed by these requirements include:

  1. Establish, document, and maintain baseline configurations for your systems–identify your current system configuration and establish baseline security settings for devices and authorized access to modify these settings. Make sure that your configuration and settings are documented and trackable.
  2. Keep your technology device inventory up to date–Update your inventory to document any added or removed devices. Devices that are added to your system should have your baseline security settings in place. Devices that are removed from your system should be properly disposed of such that they are no longer able to access your system.
  3. Keep your software and firmware updated and patched–Regularly check for and apply software updates and firmware (hardware) patches. Out-of-date or unpatched software or firmware create vulnerabilities in your system.
  4. Track, review, and document changes to the configuration of your system–Update your system configuration when any new device or software is added, when any devices or software are retired, and when any modification to settings or documentation is made. Make sure that each change is documented.
  5. Monitor and control software installed by employees–Protect the integrity of your system by controlling who is allowed to install software. Software that installed without your knowledge results in a change to your IT system. And, that will lead to unknown threats that you may be unable to detect.


Check back for our next blog post and learn more about the Identification and Authentication family. You may also be interested in reading our last post on Audit and Accountability.




Katherine Bennett

Katherine Bennett leads the Instructional Design team for NCMEP partner NC State Industry Expansion Solutions. She also serves as project manager for instructional design services. Katherine plays a key leadership role in supporting the IES goal of providing instructional design and development expertise that complements the field-specific expertise of IES partners, while meeting the learning needs of target audiences. Katherine holds a bachelor’s degree in Computer Science from the University of North Carolina at Charlotte and a master’s degree in Instructional Technology from East Carolina University.