Over the last few years, the idea of patching systems to correct flaws has graduated from an annoying business disruption to a top priority. With all of the notorious vulnerabilities that can wreak total havoc, the time it takes to patch becomes a minor inconvenience when weighed against both the technical challenges and possible regulatory penalties of not patching. 

While patching is a critical component of a comprehensive security program, one area that is more challenging is configuration management. No matter how frequently a system is patched, it can all be undone by a misconfiguration or an overlooked configuration. This is especially true when working with security configurations. These hidden flaws in a system remain even with the most current and rigorous patching process.

Getting to Know NIST SP 800-128

Fortunately, there’s some guidance for configuration management specifically targeted towards security. NIST Special Publication 800-128, titled “Guide for Security-Focused Configuration Management of Information Systems,” presents advice that works in tandem with its parent guidance, the well-known SP 800-53 (now at Revision 5) “Security and Privacy Controls for Information Systems and Organizations.”

SP 800-128 was originally published in 2011, and it now contains updates from 2019. The comparisons between the two documents can be found in the eight-page Errata statement at the beginning of the publication; however, most of that is a collection of updated index references for other referenced documents. The main content begins after that and continues up until the appendices, which begin at page 46. (A note about the NIST appendices: Anyone who has ever read a NIST document knows that the appendices are equally as important as the body of the document and should not be overlooked. There are some really impressive flow charts in Appendix G that add visual clarity to the text (Read more...)