NOTICE: Due to a lapse in annual appropriations, most of this website is not being updated. Learn more.

Form submissions will still be accepted but will not receive responses at this time. Sections of this site for programs using non-appropriated funds (such as NVLAP) or those that are excepted from the shutdown (such as CHIPS and NVD) will continue to be updated.

U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

PUBLICATIONS

Guide for Security-Focused Configuration Management of Information Systems

Published

Author(s)

Arnold Johnson, Kelley L. Dempsey, Ronald S. Ross, Sarbari Gupta, Dennis Bailey

Abstract

[Includes updates as of October 10, 2019] Guide for Security-Focused Configuration Management of Information Systems provides guidelines for organizations responsible for managing and administering the security of federal information systems and associated environments of operation. Configuration management concepts and principles described in this publication provide supporting information for NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations. NIST SP 800-128 assumes that information security is an integral part of an organization's overall configuration management. The focus of this document is on implementation of the information system security aspects of configuration management, and as such the term security-focused configuration management (SecCM) is used to emphasize the concentration on information security. In addition to the fundamental concepts associated with SecCM, the process of applying SecCM practices to information systems is described. The goal of SecCM activities is to manage and monitor the configurations of information systems to achieve adequate security and minimize organizational risk while supporting the desired business functionality and services.
Citation
Special Publication (NIST SP) - 800-128
Report Number
800-128
NIST Pub Series
Special Publication (NIST SP)
Pub Type
NIST Pubs
Supercedes Publication
Guide for Security-Focused Configuration Management of Information Systems

Download Paper

DOI Link

Keywords

Configuration management, information systems, security program, risk management framework, security-focused continuous monitoring, SecCM, control, monitoring, security content automation protocol (SCAP).
Risk management and Cybersecurity and privacy

Citation

Johnson, A. , Dempsey, K. , Ross, R. , Gupta, S. and Bailey, D. (2019), Guide for Security-Focused Configuration Management of Information Systems, Special Publication (NIST SP), National Institute of Standards and Technology, Gaithersburg, MD, [online], https://doi.org/10.6028/NIST.SP.800-128 (Accessed October 2, 2025)

Issues

If you have any questions about this publication or are having problems accessing it, please contact [email protected].

Created October 10, 2019, Updated October 12, 2021
Was this page helpful?