SA-10-727 Developer Configuration Management

Developer Configuration Management

Developer Configuration Management
Security Assessment and Authorization
Change Management
August 16, 2017

Information resource owners shall require that all changes to production systems follow the Agency's approved change management process.

Changes are made to production systems without a formal change process.
The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].
The organization should have documented change control procedures that: a. requires approval for making changes; b. takes into account impact on information security and related configurations; c. performs appropriate level of testing of changes, including information security, as applicable; d. tracks defects and security flaws; and e. requires approval from appropriate level of management for authorizing changes into production.
All security-related information resources changes shall be approved by the information owner through a change control process. Approval shall occur prior to implementation by the state organization or independent contractors.
Obtain system and services acquisition policy; procedures addressing information system developer/integrator configuration management; acquisition contracts and service level agreements; information system developer/integrator configuration management plan; security flaw tracking records; system change authorization records; other relevant documents or records and ascertain if : (I)the organization requires that information system developers create and implement a configuration management plan that controls changes to the system during development, tracks security flaws, requires authorization of changes, and provides documentation of the plan and its implementation.