Georgetown University has adopted the configuration management principles established in NIST SP 800-171 “Configuration Management” control guidelines as the official policy for this security domain. Each system administrator and system owner must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.

Configuration management plans include detailed processes and procedures for how configuration management is used, developed, and managed to support System Development Life Cycle (SDLC) activities at the information system level. The plans describe how to move changes through change management processes, how to update configuration settings and baselines, how to maintain information system component inventories, how to control development, test, and operational environments, and how to develop, release, and update key documents. 

Configuration Management Plan Requirements

  1. Addresses roles, responsibilities, and configuration management processes and procedures.
     

  2. Defines the configuration items for the information system, and when in the system development life cycle (SDLC), the configuration items are placed under configuration management.
     

  3. Establishes the means for identifying configuration items throughout the SDLC and a process for managing the configuration of the configuration items.
     

  4. Assigns responsibility for developing the configuration management process to technology managers that are not directly involved in system development. 
     

  5. Defines detailed processes and procedures for how configuration management is used to support SDLC activities at the information system level
     

  6. Creates a step-by-step implementation plan for every configuration change.
     

  7. Protects the configuration management plan from unauthorized disclosure and modification
     

  8. Includes a configuration management approval process which identifies:

    • Stakeholders who are responsible for reviewing and approving proposed changes to the information system.

    • Stakeholders that would conduct an impact analysis prior to the implementation of any changes to the system.