DFARS 252.204-7012: Are you equipped for configuration management?
Configuration management is one of the 14 control families covered under the NIST SP 800 171 cybersecurity framework. Adherence to the globally recognized standard is an essential part of achieving compliance with the DFARS 252.204-7012 clause. This is mandatory for any organization that makes up part of the 200,000-strong Defense Industrial Base (DIB), or any business that hopes to win requests for proposals (RFPs) from the US Department of Defense.
What is configuration management?
In some respects, configuration management is interchangeable with change management, albeit from the perspective of technology and information governance. Proper maintenance and management of systems and their configurations is especially important at a time where change is the only constant and organizations must continuously adapt and modernize their information systems in accordance with demand.
Configuration management comprises the policies and procedures put in place to establish or maintain the integrity of information and the systems that create, store, or transmit it. It applies throughout the entire lifecycle of the information from the moment it is first collected to when it is ultimately destroyed. As such, configuration management concerns the full range of data-bearing systems from servers to databases to networks and software.
Every organization, especially those that make up the DIB, needs to pay close attention to configuration management. As a proactive approach, this strategy goes far beyond everyday patch management to reduce a myriad of manual work. The aim is to reduce outages caused by system upgrades or changes, avoid implementation failures, and maintain the integrity of data while migrating it from one system to another.
Related article: Why an Average IT Budget for Companies Needs a DFARS Assessment
Here is what a well-prepared configuration management plan that aligns with the standards of NIST SP 800 171 should encompass:
As with any security- or compliance-related activity, planning greatly impacts the success or failure of any project. The adoption of new technology, as well as any changes to existing IT systems, cannot happen in a bubble, and there must be a clear alignment between the project and the needs and obligations of the business.
Planning is the first stage of the configuration management process. It involves developing a policy and set of procedures to govern change, along with a clear definition of which teams or employees will be responsible for what. These policies and procedures must be relevant and in line with the unique technology and operational environments of the business.
Once the initial planning and preparation stage has been addressed, security leaders need to establish a baseline configuration. This will set the minimum standards that the organization will need to meet to adhere to both internal policies and external regulatory forces, like DFARS 252.204-7012.
An approved baseline should cover the system in question and its associated components. A secure baseline must address all essential factors, such as configuration settings, anticipated system loads, required patch levels, and how information is physically and logically arranged. Automation can help a great deal to enable interoperability and uniformity across systems.
The constantly evolving nature of technology means that changes often happen beyond the control of the organization. This is especially the case in the era of software-as-a-service and cloud computing, but also with modern operating systems, for which updates are mandatory in most cases. Thus, there also needs to be a way to maintain a secure configuration.
After establishing the baseline, security leaders must implement the controls necessary to actually enforce their policies and procedures. Any changes to the system must happen in a controlled environment, with access restrictions and policies in place to limit any unauthorized or undocumented changes.
Any security architecture will only ever be truly effective if it is being properly monitored. There must be a way to validate that systems and any changes to them are being carried out in line with the organization’s internal policies, as well as regulatory requirements. After all, even if a system is made secure during the previous three phases, that does not mean this will always remain the case.
Automated monitoring, reporting, and alerting serves to uncover any potentially undiscovered or undocumented configuration changes, giving administrators a chance to react before there are any far-reaching consequences. Manual monitoring is simply not an option in many cases, due to the sheer and complexity of today’s computing architectures. As such, an automated solution that facilitates situational awareness, and refers any anomalous behavior for manual review, is an essential tool to have.
Charles IT can help your business navigate the constantly changing regulatory and cyberthreat landscape with the optimal blend of people, process, and technology. Contact us now to book your first DFARS compliance assessment.