Show/Hide Toolbars

ABCI Consultants

Guidance for NIST 800-171 Assessment & Compliance

Navigation: NIST 800-171-SECURITY FAMILIES

4 CONFIGURATION MANAGEMENT

Scroll Prev Top Next More

Basic Security Requirements:

4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

4.2 Establish and enforce security configuration settings for information technology products employed in organizational information systems.

Derived Security Requirements:

4.3 Track, review, approve/disapprove, and audit changes to information systems.

4.4 Analyze the security impact of changes prior to implementation.

4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.

4.6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities.

4.7 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.

4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

4.9 Control and monitor user-installed software.

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056