DCPR-1

DCPR-1 CM Process

Overview

A configuration management (CM) process is implemented that includes requirements for: 1. Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation; 2. A configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, to include interconnections to other DoD information systems; 3. A testing process to verify proposed configuration changes prior to implementation in the operational environment; and 4. A verification process to provide additional assurance that the CM process is working effectively and that changes outside the CM process are technically or procedurally not permitted.

MAC / CONF	Impact	Subject Area
MACI MACII MACIII	High	Security Design and Configuration

Details

Threat
Numerous security threats have the potential to be introduced to an information system when a proper CM process is not employed. A well designed and implemented configuration management process will provide a sound framework for an organization to manage and maintain DoD IA compliance.

Guidance
Components shall establish a local configuration management (CM) process that includes consideration for the following: 1. Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation; 2. A configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, whether scheduled or emergency, to include interconnections to other DoD information systems; 3. A formal testing process to verify proposed configuration changes prior to implementation in the operational environment; and 4. A verification process to provide additional assurance that the CM process is working effectively and that changes outside the CM process are technically or procedurally not permitted. Techniques such as auditing and verification testing can enable this.

Guidance

Components shall establish a local configuration management (CM) process that includes consideration for the following:

1. Formally documented CM roles, responsibilities, and procedures to include the management of IA information and documentation;
2. A configuration control board that implements procedures to ensure a security review and approval of all proposed DoD information system changes, whether scheduled or emergency, to include interconnections to other DoD information systems;
3. A formal testing process to verify proposed configuration changes prior to implementation in the operational environment; and
4. A verification process to provide additional assurance that the CM process is working effectively and that changes outside the CM process are technically or procedurally not permitted. Techniques such as auditing and verification testing can enable this.

References

Carnegie Mellon Software Engineering Institute, Capability Maturity Model® Integration (CMMISM), Version 1, Release 1. CMMISM for Systems Engineering, Software Engineering, and Integrated Product and Process Development (CMMI-SE/SW/IPPD, Version 1, Release 1) Continuous Representation CMU/SEI-2002-TR-003 ESC-TR-2002-003. December 2001
DoD Systems Management College, Defense Acquisition University Press, Systems Engineering Fundamentals. December 2000
ANSI/EIA-649 Configuration Management, “National Consensus Standard for Configuration Management”, July 1998
IEEE 12207.0, Industry Implementation of International Standard ISO/IEC 12207: 1995 (ISO/IEC 12207)) Standard for Information Technology - Software Life Cycle Processes, 01 March 1998