1903 Configuration Management Policy

Georgia State Seal

Department of Human Services
Online Directives Information System

Index:

POL1903

Revised:

06/02/2025

Next Review:

06/02/2027

Subject: DHS Information Security Policies

Policy

This policy establishes the Enterprise Configuration Management Policy, for managing risks from system changes impacting baseline configuration settings, system configuration and security. The configuration management program helps DHS document, authorize, manage and control system changes impacting Information Systems.

Authority

  1. United States Department of Commerce National Institute for Standards and Technology (NIST)

  2. United States Internal Revenue Service

  3. United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)

  4. United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)

  5. Georgia Technology Authority

  6. Social Security Administration

  7. Federal Bureau Investigation (Criminal Justice Information Services)

References

Applicability

The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.

Definitions

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Responsibilities

DHS shall adopt the Configuration Management principles established in NIST SP 800-53 “Configuration Management,” Control Family guidelines, as the official policy for this domain. The following subsections outline the Configuration Management standards that constitute DHS policy. Each DHS Business System is then bound to this policy, and shall develop or adhere to a program plan which demonstrates compliance with the policy related the standards documented.

CM-1 Configuration Management Policy and Procedures

  1. Develop, document, and disseminate to designated agency personnel:

    1. All organizational level configuration management policy that:

      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

    2. Procedures to facilitate the implementation of the configuration management policy and the associated controls.

  2. Designate an agency official to manage the development, documentation, and dissemination of the configuration management policy and procedures; and

  3. Review and update the current configuration management:

    1. Policy every one (1) year (or if there is a significant change); and

    2. Procedures every one (1) year, (or when there is a significant change).

CM-2 Baseline Configuration

  1. Develop, document, and maintain under configuration control, a current baseline configuration of the systems and

  2. Review and update the baseline configuration of the system:

    1. At a minimum annually.

    2. When required due to reorganizations, refreshes, etc.; and.

    3. When system components are installed or upgraded.

CM-2 (2) Automation Support for Accuracy and Currency:

Maintain the currency, completeness, accuracy, and availability of the baseline configuration of the system using automated mechanisms.

CM-2 (3) Retention of Previous Configurations:

Retain at least one (1) of the previous versions of baseline configurations of the system to support rollback.

IRS.1:

Agencies must use SCSEMs provided on the Office of Safeguards website to ensure secure configurations of all agency information technology and communication systems receiving, processing, storing, accessing, protecting and/or transmitting FTI.

CM-2 (6) Development and Test Environments:

Maintain a baseline configuration for system development and test environments that is managed separately from the operational baseline configuration.

CM-2 (7) Configure Systems and Components for High-Risk Areas:

  1. Issue a specifically configured computing device with more stringent configuration settings (e.g., FIPS 140-2 for encryption) and the minimum-needed access to CUI to individuals traveling to locations that are deemed to be of significant risk; and

  2. Apply the following controls to the systems or components when the individuals return from travel: examine for signs of tampering, reformat storage media before reintroduction to the CUI environment.

CM-3 Configuration Change Control

Change control management is required for key information systems. The following applies to all agency systems which must enter the configuration change control process:

  1. Determine and document the types of changes to the system that are to be configuration-controlled must be determined.

  2. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for the security impact analysis.

  3. Document configuration change decisions associated with the system;

  4. Implement approved configuration-controlled changes to the system.

  5. Retain records of configuration-controlled changes to the system for 3 years;

  6. Monitor and review activities associated with configuration-controlled changes to the system; and

  7. Coordinate and provide oversight for configuration change control activities through change request forms that must be approved by an organizational Configuration Control Board that convenes on a monthly basis when changes are proposed.

CM-3 (2) Testing, Validation and Documentation of Changes:

Test, validate, and document changes to the system before finalizing the implementation of the changes.

CM-3 (4) Security and Privacy Representative:

Require ISSO/ISSM and Privacy Representatives to be members of the Configuration Control Board.

CM-4 Security and Privacy Impact Analysis

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

CM-4 (1): Separate Test Environments

The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

CM-4 (2) Verification of Controls:

After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.

CM-5 Access Restrictions for Change

Define, document, approve, and enforce physical and logical access restrictions are associated with changes to the system.

CM-5 (1): Automated Access Enforcement and Audit Records:

The information system enforces access restrictions and supports auditing of the enforcement actions.

CM-5 (5) Privilege Limitation for Production and Operations:

  1. Limit privileges to change system components and system-related information within a production or operational environment; and

  2. Review and reevaluate privileges at least quarterly.

IRS.1:

Restrict administration of configurations to only authorized administrators.

IRS.2:

Verify the authenticity and integrity of Basic Input/Output System (BIOS) or Unified Extensible Firmware Interface (UEFI) updates to ensure that the BIOS or UEFI is protected from modification outside of the secure update process.

CM-6 Configuration Settings

  1. Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using Office of Safeguards–approved compliance tools (e.g., SCSEMs, automated assessment tools);

  2. Implement the configuration settings;

  3. Identify, document, and approve any deviations from established configuration settings for information systems that receive, process, store, or transmit CUI based on explicit operational requirements; and

  4. Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.

IRS.1:

The agency shall ensure that all devices across the enterprise that store agency data are appropriately reviewed for security purposes prior to connection or reconnection to the agency’s network, (e.g. checks for malicious code, updates to malware detection software, critical software updates and patches, operating system integrity and disabled hardware).

CM-6 (1): Automated Management Application and Verification

The organization employs automated mechanisms to centrally manage, apply, and verify configuration settings for information technology products.

CM-7 Least Functionality

  1. Configure the system to provide only mission essential capabilities and.

  2. Prohibit or restrict the use of the following functions, ports, protocols, software, and/or service:

    1. Those not needed to conduct business;

    2. Those defined in the IRS Office of Safeguards approved compliance requirements (e.g., SCSEMs, assessment tools);

    3. Maintenance ports when not in use; and

    4. File Transfer Protocol (FTP).

CM-7(1) Periodic Review:

  1. Review the system upon encountering a significant risk, as incidents occur, major system/software updates, or at least annually to identify unnecessary and/or nonsecure functions, ports, protocols, software, and services; and

  2. Disable or remove identified functions, ports, protocols, and services within the information system deemed to be unnecessary and/or nonsecure; and

CM-7 (2): Prevent Program Execution

Prevent program execution in accordance with organizational-defined policies, rules of behavior, and rules authorizing the terms and conditions of software program usage.

CM-7 (5) Authorized Software – Allow By Exception

  1. Identify software programs authorized to execute on the system;

  2. Employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs on the system; and

  3. Review and update the list of authorized software programs at a minimum annually.

IRS.1:

Periodically scan FTI networks to detect and remove any unauthorized or unlicensed software.

CM-7 (9) Prohibiting the Use of Unauthorized Hardware:

  1. Identify agency-defined hardware components authorized for system use;

  2. Prohibit the use or connection of unauthorized hardware components;

  3. Review and update the list of authorized hardware components annually.

CM-8 Information System Component Inventory

  1. Develop and document an inventory of system components that:

    1. Accurately reflects the system.

    2. Includes all components that store, process, or transmit CUI.

    3. Does not include duplicate accounting of components or components assigned to any other system;

    4. Is at the level of granularity deemed necessary for tracking and reporting; and

    5. Includes the following information to achieve system component accountability: for example, hardware inventory specifications, software license information, software version numbers, component owners and for networked components or devices, machine names and network addresses. Inventory specifications include, for example, manufacturer, device type, model, serial number, and physical location and

  2. Review and update the system component inventory at a minimum annually.

CM-8 (1) Updates During Installation and Removal:

Update the inventory of system components as part of component installations, removals, and system updates.

CM-8 (3) Automated Unauthorized Component Detection:

  1. Detect the presence of unauthorized hardware, software, and firmware components within the system using automated mechanisms at all times; and

  2. Take the following actions when unauthorized components are detected:

    1. Disable network access by such components.

    2. Isolate the components.

    3. Notify designated Agency IT personnel

CM-9 Configuration Management Plan

Develop, document, and implement a configuration management plan for the system that: . Addresses roles, responsibilities, and configuration management processes and procedures; . Establishes a process for identifying configuration items throughout the System Development Life Cycle (SDLC) and for managing the configuration of the configuration items. . Defines the configuration items for the system and places the configuration items under configuration management; . Is reviewed and approved by designated agency personnel and . Protects the configuration management plan from unauthorized disclosure and modification.

CM-10 Software Usage Restrictions

  1. Use software and associated documentation in accordance with contract agreements and copyright laws;

  2. Track the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

  3. Control and document the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.

CM-11 User Installed Software

  1. Establish policies governing the installation of software by users;

  2. Enforce software installation policies through the following methods: procedural methods (e.g., periodic examination of user accounts), automated methods (e.g., configuration settings implemented on organizational information systems), or both; and

  3. Monitor policy compliance is monitored at a minimal continuously.

CM-12: Information Location

  1. Identify and document the location of CUI and the specific system components on which the information is processed and stored;

  2. Identify and document the users who have access to the system and system components where the information is processed and stored; and

  3. Document changes to the location (i.e., system or system components) where the information is processed and stored.

CM-12 (1) Automated Tools to Support Information Location:

Use automated tools to identify CUI on system components to ensure controls are in place to protect organizational information and individual privacy.

CM-13: Data Action Mapping

Develop and document a map of system data actions.

CM-14: Signed Components

Prevent the installation of agency-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

History

Date Change User Version

Evaluation

The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:

  1. Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.

  2. Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.