CM Assessor Certification Class, CMPIC Course 7

Security-Focused Configuration Management of Information Systems

CMPIC Course 15

CMPIC Course 15 Security-Focused Configuration Management of Information Systems

About this Course

This 3-day class will address the role of configuration management in protecting information systems. Students who complete this course will understand the overall CM requirements as addressed in NIST Special Publication 800-53 “Security and Privacy Controls for Federal Information Systems and Organizations“ and as detailed in NIST special publication 800-128 "Guide for Security-Focused Configuration Management of Information Systems". Course materials will come from the NIST publications and will be supplemented with application examples provided by CMPIC. The CM requirements, principles and application examples taught in this class are directly applicable to government and commercial IT systems/environments. Course consists of lecture and workshops.

Why Consider this Course

"Organizations apply configuration management (CM) for establishing baselines and for tracking, controlling, and managing many aspects of business development and operation (e.g., products, services, manufacturing, business processes, and information technology). Organizations with a robust and effective CM process need to consider information security implications with respect to the development and operation of information systems including hardware, software, applications, and documentation. Effective CM of information systems requires the integration of the management of secure configurations into the organizational CM process or processes. For this reason, this document [NIST SP 800-128] assumes that information security is an integral part of an organization’s overall CM process; however, the focus of this document [NIST SP 800-128] is on implementation of the information system security aspects of CM, and as such the term security-focused configuration management (SecCM) is used to emphasize the concentration on information security. Though both IT business application functions and security-focused practices are expected to be integrated as a single process, SecCM in this context is defined as the management and control of configurations for information systems to enable security and facilitate the management of information security risk." (Source NIST SP 800-128)


There are no prerequisites for this course.


Intended Audience

  • Configuration Management professionals responsible for an organization’s automated CM systems / tools and related systems.

  • Individuals with information system, information security management and oversight responsibilities (e.g., chief information officers, senior agency information security officers, and authorizing officials).

  • Individuals with information system development responsibilities (e.g., program and project managers, mission / application owners, system designers, system and application programmers).

  • Individuals with information security implementation and operational responsibilities (e.g., information system owners, information owners, information system administrators, information system security officers).

  • Individuals with information system and information security assessment and monitoring responsibilities (e.g., auditors, Inspectors General, assessors / assessment teams).

  • Commercial companies producing information technology products and systems, creating information security-related technologies, and providing information security services can also benefit from the information in this publication.


    Certificate Requirements

    Students who successfully complete this course and associated exam will receive a certification from CMPIC.

    Download Course Brochure (PDF)


    Click here to register