UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

DCPR-1 CM Process


Overview

A configuration management (CM) process is implemented that includes requirements for: 1. Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation; 2. A configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, to include interconnections to other DoD information systems; 3. A testing process to verify proposed configuration changes prior to implementation in the operational environment; and 4. A verification process to provide additional assurance that the CM process is working effectively and that changes outside the CM process are technically or procedurally not permitted.

MAC / CONF Impact Subject Area
MACI
MACII
MACIII
High Security Design and Configuration

Details

Threat
Numerous security threats have the potential to be introduced to an information system when a proper CM process is not employed.  A well designed and implemented configuration management process will provide a sound framework for an organization to manage and maintain DoD IA compliance.

Guidance
Components shall establish a local configuration management (CM) process that includes consideration for the following:
 
1. Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation;
2. A configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, whether scheduled or emergency, to include interconnections to other DoD information systems;
3. A formal testing process to verify proposed configuration changes prior to implementation in the operational environment; and
4. A verification process to provide additional assurance that the CM process is working effectively and that changes outside the CM process are technically or procedurally not permitted. Techniques such as auditing and verification testing can enable this.

References

  • Carnegie Mellon Software Engineering Institute, Capability Maturity Model® Integration (CMMISM), Version 1, Release 1.  CMMISM for Systems Engineering, Software Engineering, and Integrated Product and Process Development (CMMI-SE/SW/IPPD, Version 1, Release 1) Continuous Representation CMU/SEI-2002-TR-003 ESC-TR-2002-003. December 2001
  • DoD Systems Management College, Defense Acquisition University Press, Systems Engineering Fundamentals. December 2000
  • ANSI/EIA-649 Configuration Management, “National Consensus Standard for Configuration Management”, July 1998
  • IEEE 12207.0, Industry Implementation of International Standard ISO/IEC 12207: 1995 (ISO/IEC 12207)) Standard for Information Technology - Software Life Cycle Processes, 01 March 1998