Security-Focused Configuration Management of Information Systems

CMPIC Course 15:  20-24 hours  |  2.0 - 2.4 CEUs  |  Certification


Proud student posing after becoming certififed in NIST Information Security and Network Security CM.


This  class will address the role of configuration management in protecting information systems. Students who complete this course will understand the overall CM requirements as addressed in NIST Special Publication 800-53 "Security and Privacy Controls for Federal Information Systems and Organizations" and as detailed in NIST special publication 800-128 "Guide for Security-Focused Configuration Management of Information Systems". Course materials will come from the NIST publications and will be supplemented with application examples provided by CMPIC. The CM requirements, principles and application examples taught in this class are directly applicable to government and commercial IT systems/environments. Course consists of lecture and workshops.




"Organizations apply configuration management (CM) for establishing baselines and for tracking, controlling, and managing many aspects of business development and operation (e.g., products, services, manufacturing, business processes, and information technology). Organizations with a robust and effective CM process need to consider information security implications with respect to the development and operation of information systems including hardware, software, applications, and documentation. Effective CM of information systems requires the integration of the management of secure configurations into the organizational CM process or processes. For this reason, this document [NIST SP 800-128] assumes that information security is an integral part of an organization’s overall CM process; however, the focus of this document [NIST SP 800-128] is on implementation of the information system security aspects of CM, and as such the term security-focused configuration management (SecCM) is used to emphasize the concentration on information security. Though both IT business application functions and security-focused practices are expected to be integrated as a single process, SecCM in this context is defined as the management and control of configurations for information systems to enable security and facilitate the management of information security risk." Quote from NIST SP 800-128



After successfully completing this course and exam, you will receive 2.4 CEUs and your Security-Focused Configuration Management of Information Systems Certification from CMPIC LLC.



  • Configuration Management professionals responsible for an organization’s automated CM systems / tools and related systems.

  • Individuals with information system, information security management and oversight responsibilities (e.g., chief information officers, senior agency information security officers, and authorizing officials).

  • Individuals with information system development responsibilities (e.g., program and project managers, mission / application owners, system designers, system and application programmers).

  • Individuals with information security implementation and operational responsibilities (e.g., information system owners, information owners, information system administrators, information system security officers).

  • Individuals with information system and information security assessment and monitoring responsibilities (e.g., auditors, Inspectors General, assessors / assessment teams).

  • Commercial companies producing information technology products and systems, creating information security-related technologies, and providing information security services can also benefit from the information in this publication.



There are no prerequisites for this course.



  • CM Requirements for IT Security- Background
  • NIST SP 800-53 Configuration Management Controls
  • NIST SP 800-53 System and Services Acquisition Controls
  • Workshop #1
  • NIST SP 800-128 Introduction
  • NIST SP 800-128 The Fundamentals Part 1
  • NIST SP 800-128 The Fundamentals Part 2
  • Workshop #2
  • NIST SP 800-128 The Process Part 1
  • NIST SP 800-128 The Process Part 2
  • Workshop #3
  • NIST SP 800-128 The Process Part 3
  • NIST SP 800-128 The Process Part 4
  • NIST SP 800-128 The Process Part 5
  • NIST SP 800-128 Appendixes A, B, C, D, E, F
  • Certification Exam



Loved the stories that related to the material. I am grateful for the handouts (flow charts, templates, etc.). I feel more knowledgeable to ask our IT/CM team questions.

Loved taking this course - very engaging and presented in an interesting way. The focus on standards was helpful.

This class has a lot of information. It would benefit our ISSOs.

Good course to help someone understand IT. CM is not any different than CM used elsewhere. Good insight about adding security evaluation to CCB.

[The instructor] did a good job keeping our attention on the intent [of the standard] - to see the additional CM requirements for IT systems.

Fabulous course - so much material! It was great, but I now know how much more work we have left to do!