The Configuration Management (CM) domain in NIST SP 800-171 requires organizations to create and maintain baseline configurations and inventories for all their systems that includes hardware, software, firmware, and documentation.
Think of baseline configurations like a snapshot, capturing the ideal system setup. Documenting a system’s desired state and practicing effective configuration and change management are crucial for maintaining the security and integrity of information systems.
A baseline for an IT system should include the software in use, updates applied, security status and system operations. It should detail the components of the system, how they are connected in the network and where they fit into the overall system design. It should also specify the update status, firmware version and document revision. They include instructions on configuring system components to meet the operational needs of the company.
Organizations should try to achieve the most secure system state while preserving necessary functionality. When setting up a typical system, the baseline configuration might involve adjusting settings, installing software updates, ensuring security measures are in place, implementing various security features and documenting all procedures.
Baselines ensure that systems are securely configured from the beginning and maintain that level of security throughout their lifecycle.
Any changes to a baseline configuration need to be reviewed, authorized, tested and properly recorded through a change management process. This entails formally proposing each modification, analyzing its security implications, conducting tests and obtaining approval before implementation.
Regular audits of configurations are important to verify the correct application of baseline settings and detect any unauthorized adjustments.
Preserving and archiving previous versions of baseline configurations is necessary for incident response and troubleshooting. In case an issue arises, having the capability to revert to a prior stable configuration can be invaluable.
By managing and auditing baseline configurations regularly, organizations can maintain a an IT environment with less chance of unauthorized modifications while safeguarding the integrity of their systems.
Elements of a Baseline
1. Configuration Settings
These are parameters found in hardware, software or firmware that affect the security posture and operation of the system when modified. These settings include things like registry settings, encryption, firewall rules, MFA, IP configuration, and group policy.
2. Software Versions and Patch Levels
The specific software versions authorized to be installed on the system and details regarding the latest security updates and patches applied.
3. Network Details
This includes information about the network configuration of the system like its IP address, subnet mask and default gateway.
4. System Interactions
This covers how the system communicates with other systems on the network including protocols used, ports utilized and any security measures implemented.
5. Hardware, Software, Firmware
Specifications for these components of the system and how they are interconnected.
Creating Baseline Configurations
General steps for establishing baselines:
- Begin by compiling an inventory of all assets associated with critical business services. These are the services and assets that, if compromised, could disrupt your operations. Each asset should have its own baseline configuration.
- Organize the identified assets into specific configuration items (CIs). Examples of CI categories include servers, network devices, applications and other essential components.
- Determine the desired state for each item. Document security settings. This may involve BIOS settings, remote access controls, encryption methods, system services, and any other settings relevant to security measures. It may also involve things like removing unnecessary applications, services, functions, protocols, and blocking a port or adding an exception to firewall rules. Remember Least Functionality! Ensure that the baseline enables necessary functions while minimizing exposure to unnecessary features or services can help reduce vulnerabilities.
- Use recognized secure configurations such as security checklists or guides like Network Device Configuration Guides or hardening guides. Resources like DISA STIGs and CIS Benchmarks offer standardized guidelines for configuring specific IT systems. The National Checklist Program (NCP) is a valuable tool for accessing these secure configurations.
Change Management
Establish a Change Approval Board (CAB) that is responsible for evaluating and approving proposed changes. Engage stakeholders such as system owners, security personnel and IT managers in reviewing suggested baseline configurations.
Change management plays a crucial role in mitigating risks. The way a system is configured can impact its vulnerability to potential attacks. A security impact analysis of the baseline should be conducted. It is important to test configurations in a controlled environment. Testing before implementing them in production ensures that they are both secure and functional. The findings and results should be presented to the change approval board.
The Change Approval Board (CAB) needs to vote on whether or not to authorize the baseline.
Detailed documentation should be created for each baseline configuration, including all relevant settings, versions and other pertinent details. Implement version control to monitor changes made to the baselines over time, this aids in maintaining security and facilitating rollbacks if something goes sideways.
Once the baselines have been approved by the Change Approval Board, they should be put into action and made available to those who need them. It’s essential to follow a deployment procedure to prevent vulnerabilities from emerging.
Maintaining Baselines
Baseline configurations are not set in stone; they require regular evaluations and updates to stay effective. Baselines will evolve over time to address security threats, technological advancements, and organizational needs. For instance, new security risks might require adjustments to security settings within the baseline or software upgrades could prompt changes to baseline configurations for compatibility or vulnerability fixes. Integrate updates and patches as needed.
Utilize continuous monitoring to spot any deviations from the established baseline settings. Employing automated tools for detecting changes can enhance accuracy and efficiency.
• Investigating Discrepancies
When discrepancies are detected during monitoring, an analysis should be conducted to understand the situation and assess the potential impact of these deviations. Analyzing log data might uncover unauthorized access attempts or unsanctioned system alterations.
• Remediation and Enhancement
Based on the analysis of discrepancies, appropriate corrective measures need to be implemented to tackle any issues and vulnerabilities. This may involve incident response, uninstalling unauthorized software, restoring configurations to approved baselines, or fixing vulnerabilities.
• Managing Changes and Documentation
Any modifications to baseline configurations should be reviewed and approved through the change management process. Record the changes to keep an accurate and current baseline.
Demonstrating Compliance
Although assessors can ask for different kinds of evidence: documents to examine, or interviews or tests to conduct, these are some examples of evidence they may want to see.
To prove compliance with NIST SP 800-171 standards, you should provide an assessor with your inventory lists containing your hardware, software, firmware and documentation. They will want to review the baseline configurations for your assets and your imaging procedure. Documentation of your change management process and records of modifications will be examined and they will want to see your methods for deploying baselines and where they are stored. The assessor will want details on how the organization establishes secure baselines, such as using STIGs (Security Technical Implementation Guides) or other benchmarks. They may ask for information about the mechanisms used to ensure images remain unaltered unless authorized.
I hope this information is helpful. Please share any feedback in the comments below. More details on Configuration Management to come!