Configuration Management (CM) is the ongoing process of identifying and managing changes to deliverables and other work products. The Configuration Management Plan (CM Plan) is developed to define, document, control, implement, account for, and audit changes to the various components of the information system. The CM Plan provides information on the requirements and procedures necessary for CM activities. It identifies CM requirements and establishes the methodology for configuration identification and control of releases and changes to configuration items. It also describes the process for maintaining status accounting and verifying the completeness and correctness of configuration items throughout the system life-cycle.

This plan is based on the guidelines set forth by Configuration Management controls within NIST 800-53. See Configuration Policy and Procedure for additional information.


For every requested CI (Change Item) relating to configuration changes the Change Management Process shall be used.


System cloud servers use the standard Microsoft Azure Government Cloud Window Server baseline (as specified in their FedRAMP accreditation). The standard baseline is already hardened per Microsoft defined standards.

A list of approved system components (INFORMATION SYSTEM COMPONENT INVENTORY) has been created and stored in our document repository. This list can only be updated through the Change Management Process. The software component list details the approved versions all components. The installation guide contains instruction on how the various components are to be installed on the system.

Finally, an additional level of hardening is performed on the cloud server. This is documented in the standard hardening procedure. The principal of least functionality is used.


A source code repository is used to manage all application source code. Upon release, a version is tagged in the repository. The software package is generated by pulling a specific tagged version of the source code from the repository. This installation guide contains instruction on how to install the tagged version on the server (as well as other required setup steps).

Reference NIST Special Publication 800-128 for additional details.


Any changes to the installation guide shall use the Change Management Process. This guarantees that changes will be fully verified as working prior to formal publishing of the guide.


The Change Management Process requires that security impact is considered for all requested changes.

Reference NIST Special Publication 800-128 for additional details.


The installation guide specifies various configuration settings. Settings can vary from one installation to the next within a controlled set of parameters. Any deviations from the standard configuration must be run through the Change Management Process. This ensures that any deviations will be approved and captured on an ongoing basis.

As part of the review process for an CI the USGCB (http://usgcb.nist.gov/usgcb_faq.html#usgcbfaq_usgcbfdcc) checklist is considered if appropriate.