WIXLIB

CRR Supplemental Resource GuideVolume 3Configuration andChange ManagementVersion 1.1

Copyright 2016 Carnegie Mellon UniversityThis material is based upon work funded and supported by Department of Homeland Security under ContractNo. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software EngineeringInstitute, a federally funded research and development center sponsored by the United States Department ofDefense.Any opinions, findings and conclusions or recommendations expressed in this material are those of theauthor(s) and do not necessarily reflect the views of Department of Homeland Security or the United StatesDepartment of Defense.NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERINGINSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITYMAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANYMATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE ORMERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL.CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITHRESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.[Distribution Statement A] This material has been approved for public release and unlimited distribution.Please see Copyright notice for non-US Government use and distribution.CERT and OCTAVE are registered marks of Carnegie Mellon University.DM-0003277Distribution Statement A: Approved for Public Release; Distribution is Unlimited

Table of ContentsI. Introduction . 1Series Welcome .1Audience .3II. Configuration and Change Management . 4Overview .4Configuration and Change Management Terms .5Configuration and Change Management Process .5III. Create a Configuration and Change Management Plan . 8Before You Begin .8Step 1. Obtain support for configuration and change management planning. .9Step 2. Budget for configuration and change management. .9Step 3. Define roles and responsibilities. .9Step 4. Gather existing policies, procedures, and documentation related to configuration and changemanagement. . 10Step 5. Identify and prioritize critical organizational services that will require change and configurationmanagement. . 10Step 6. Validate critical services with stakeholders and establish a configuration change review board. . 11Step 7. Develop a change request process. . 11Step 8. Determine how changes will be communicated to the organization. . 12Step 9. Develop a configuration and change management training plan. . 12Step 10. Identify tools for use in implementing and monitoring configurations. 12Step 11. Plan for capacity management. . 13Output of Section III . 14IV. Identify Configuration Items . 15Before You Begin . 15Step 1. Map critical organizational services to stakeholders and related services. . 15Step 2. Identify assets related to the critical services. . 16Step 3. Identify the configuration items of the assets that will undergo change and require change andconfiguration management. . 16Step 4. Determine a configuration baseline for each configuration item. . 17Output of Section IV . 17V. Implement and Control Configuration Changes . 18Before You Begin . 18Step 1. Evaluate change requests and approvals. 19Step 2. Model configuration changes in a test environment. 20Step 3. Deploy changes in the production environment. 21Step 4. Determine the success or failure of changes. . 22Step 5. Roll back unsuccessful changes. 23Step 6. Close out completed changes. . 23Distribution Statement A: Approved for Public Release; Distribution is Unlimited

Step 7. Change configuration baselines. . 25Output of Section V . 26VI. Monitor Configuration Changes . 27Before You Begin . 27Step 1. Identify systems or components not specified in documentation. . 27Step 2. Identify disparities between authorized, approved baselines and actual, implemented baselines. 28Step 3. Monitor system logs for unauthorized changes. . 28Step 4. Collect existing audits and configuration control records. . 28Step 5. Define remediation action. . 29Step 6. Execute monitoring plan. . 29Output of Section VI . 30VII. Conclusion . 31Appendix A. Example Change Request Template. 32Appendix B. Example Change Impact Analysis Template . 34Appendix C. Configuration and Change Management Resources . 36Appendix D. CRR/CERT-RMM Practice/NIST CSF Subcategory Reference . 37Endnotes . 39Distribution Statement A: Approved for Public Release; Distribution is Unlimited

I. IntroductionSeries WelcomeWelcome to the CRR Resource Guide series. This document is 1 of 10 resource guides developed by theDepartment of Homeland Security’s (DHS) Cyber Security Evaluation Program (CSEP) to help organizationsimplement practices identified as considerations for improvement during a Cyber Resilience Review (CRR). 1The CRR is an interview-based assessment that captures an understanding and qualitative measurement of anorganization’s operational resilience, specific to IT operations. Operational resilience is the organization’sability to adapt to risk that affects its core operational capacities. 2 It also highlights the organization’s ability tomanage operational risks to critical services and associated assets during normal operations and during times ofoperational stress and crisis. The guides were developed for organizations that have participated in a CRR, butany organization interested in implementing or maturing operational resilience capabilities for critical ITservices will find these guides useful.The 10 domains covered by the CRR Resource Guide series are1. Asset Management2. Controls Management3. Configuration and Change Management This guide4. Vulnerability Management5. Incident Management6. Service Continuity Management7. Risk Management8. External Dependencies Management9. Training and Awareness10. Situational AwarenessThe objective of the CRR is to allow organizations to measure the performance of fundamental cybersecuritypractices. DHS introduced the CRR in 2011. In 2014 DHS launched the Critical Infrastructure CyberCommunity or C³ (pronounced “C Cubed”) Voluntary Program to assist the enhancement of criticalinfrastructure cybersecurity and to encourage the adoption of the National Institute of Standards andTechnology’s (NIST) Cybersecurity Framework (CSF). The NIST CSF provides a common taxonomy andmechanism for organizations to1. describe their current cybersecurity posture2. describe their target state for cybersecurity3. identify and prioritize opportunities for improvement within the context of a continuous and repeatableprocess4. assess progress toward the target state5. communicate among internal and external stakeholders about cybersecurity riskDistribution Statement A: Approved for Public Release; Distribution is Unlimited1

The CRR Self-Assessment Package includes a correlation of the practices measured in the CRR to criteria ofthe NIST CSF. An organization can use the output of the CRR to approximate its conformance with the NISTCSF. It is important to note that the CRR and NIST CSF are based on different catalogs of practice. As aresult, an organization’s fulfillment of CRR practices and capabilities may fall short of, or exceed,corresponding practices and capabilities in the NIST CSF.Each resource guide in this series has the same basic structure, but each can be used independently. Each guidefocuses on the development of plans and artifacts that support the implementation and execution of operationalresilience capabilities. Organizations using more than one resource guide will be able to leveragecomplementary materials and suggestions to optimize their adoption approach. For example, assets identifiedin the Asset Management Resource Guide are often part of the configuration and change management plan.Each guide derives its information from best practices described in a number of sources, but primarily from theCERT Resilience Management Model (CERT -RMM). 3 The CERT-RMM is a maturity model for managingand improving operational resilience, developed by the CERT Division of Carnegie Mellon University’sSoftware Engineering Institute (SEI). This model is meant to guide the implementation and management of operational resilience activities converge key operational risk management activities define maturity through capability levels enable maturity measurement against the model improve an organization’s confidence in its response to operational stress and crisisThe CERT-RMM provides the framework from which the CRR is derived—in other words, the CRR methodbases its goals and practices on the CERT-RMM process areas.This guide is intended for organizations seeking help in establishing a configuration and change managementprocess and for organizations seeking to improve their existing configuration and change management process.More specifically this guide educates readers about the configuration and change management process promotes a common understanding of the need for a configuration and change management process identifies and describes key practices for configuration and change management provides examples and guidance to organizations wishing to implement these practicesThe guide is structured as follows:I.Introduction—Introduces the CRR Resource Guide series and describes the content and structure of thesedocuments.II. Configuration and Change Management—Presents an overview of the configuration and changemanagement process and establishes some basic terminology.III. Create a Configuration and Change Management Plan—Details the process of creating a configuration andchange management plan and identifies details that an organization should consider when developing itsplan.IV. Identify Configuration Items—Details the process of identifying assets that support critical services andwill be configured and managed using this process. 2CERT is a registered mark owned by Carnegie Mellon University.Distribution Statement A: Approved for Public Release; Distribution is Unlimited

V. Implement and Control Configuration Changes—Details the process by which changes are approved,executed, and brought to closure.VI. Monitor Configuration Changes—Details the process for assessing whether changes have occurred andprocedures for addressing unauthorized changes.VII. Conclusion—Summarizes the steps outlined in this document and suggests next steps for implementation.AudienceThe principal audience for this guide includes individuals who are responsible for designing, implementing, oroverseeing configuration and change management in an organization. Senior executives who develop policiesgoverning the implementation of configuration and change management may also benefit from this guide.To learn more about the source documents for this guide and for other documents of interest, see Appendix C.Distribution Statement A: Approved for Public Release; Distribution is Unlimited3