Skip to site content
U.S. Department of Health and Human Services
Indian Health Manual

Chapter 5 - Configuration Management

Part 10

Page Section
Introduction 10-5.1
Purpose 10-5.1A
Background 10-5.1B
Scope 10-5.1C
Authorities 10-5.1D
Acronyms and Definitions 10-5.2
Acronyms 10-5.2A
Definitions 10-5.2B
Policy 10-5.3
Procedures 10-5.4
CM-1 Configuration Management Policy and Procedures 10-5.4A
CM-2 Baseline Configuration 10-5.4B
CM-3 Configuration Change Control 10-5.4C
CM-4 Security Impact Analysis 10-5.4D
CM-5 Access Restrictions for Change 10-5.4E
CM-6 Configuration Settings 10-5.4F
CM-7 Least Functionality 10-5.4G
CM-8 Information System Component Inventory 10-5.4H
CM-9 Configuration Management Plan 10-5.4I
CM-10 Software Usage Restrictions 10-5.4J
CM-11 User-Installed Software 10-5.4K
Responsibilities 10-5.5
Chief Information Security Officer 10-5.5A
Area Director 10-5.5B
Change Control Board 10-5.5C
Cybersecurity Incident Response Team 10-5.5D
Information System Security Officer 10-5.5E
Area Information System Coordinator 10-5.5F
System Owner 10-5.5G
System/Network Administrator 10-5.5H
Management Officials 10-5.5I
Office of Information Technology/Enterprise Technology Services 10-5.5J
Exhibit Description
Exhibit 10-5-A Cybersecurity and Privacy Control Definitions
"Configuration Management (CM) Controls"

10-5.1  INTRODUCTION

  1. Purpose. The purpose of this cybersecurity policy is to establish the management and control of system configurations.
  2. Background. The Indian Health Service (IHS) is responsible for safeguarding the information that it collects, records, transmits, and manages in the performance of its mission by reducing risk and minimizing the potential negative impact on computing resources, sensitive data, funds, productivity, and public health reputation.

    An information system comprises many components that can be interconnected in a multitude of arrangements to meet a variety of administrative, mission, and cybersecurity needs. How these information system components are networked, configured, and managed is critical for providing adequate information security and supporting an organization’s risk management process.

    In accordance with Federal Information Processing Standard (FIPS) 200, “Minimum Security Requirements for Federal Information and Information Systems,” National Institute of Standards and Technology (NIST) Special Publication (SP) 800-128, “Guide for Security-Focused Configuration Management of Information Systems,” and security controls required by the Department of Health and Human Services (HHS) and the IHS, the IHS must establish and maintain baseline configuration and inventories of organizational assets throughout the respective system life cycle as federally required.

  3. Scope. This chapter applies to all the IHS organizational components, including, but not limited to, Headquarters, Area Offices, and Service Units utilizing the IHS Information Technology (IT) networks and systems as well as contractual relationships involving the use of the IHS IT resources. This includes all of the IHS systems and activities that involve storage, transmission, and/or processing of IHS information using IT resources.

    This chapter pertains to activities conducted in all IHS locations, or while teleworking, on travel, or at other off-site locations. Agency officials must apply this chapter to contractor personnel, interns, externs, and other non-government employees by incorporating such references into contracts, Security Agreements, and Memoranda of Understanding as conditions for using government-provided IT resources.

  4. Authorities, Guidance, and Standards of Reference.
    1. Statutes and Regulations:
      1. Health Insurance Portability and Accountability Act (HIPAA) Security Rule, 45 C.F.R. Parts 160 and 164
      2. E-Government Act of 2002, P.L. 107-347
      3. Federal Information Security Modernization Act of 2014, P.L. 113-283
    2. Office of Management and Budget (OMB) Circular:

      OMB Circular A-130, “Managing Information as a Strategic Resource”
    3. (3) Federal Information Processing Standards (FIPS):
      1. FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems
      2. FIPS PUB 199, Standards for Security Categorization of Federal Information and Information Systems
      3. FIPS PUB 140-3, Security Requirements for Cryptographic Modules
    4. National Institute of Standards and Technology (NIST):
      1. NIST SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, 2015, as revised by any successor guidance.
      2. NIST SP 800-70, Rev. 4, National Checklist Program for Information Technology (IT) Products – Guidelines for Checklist Users and Developers, 2018
      3. NIST SP 800-123, Guide to General Server Security, 2008
      4. NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, 2011
    5. HHS Office of the Chief Information Officer (OCIO) Policy and Guidance:
      1. HHS-OCIO-OIS-2021-11-006, HHS Policy for Information Security and Privacy Protection, November 18, 2021
      2. HHS End-of-Life Operating Systems, Software and Applications Policy, May 19, 2016
      3. HHS Minimum Security Configuration Standards Guidance, October 5, 2017
    6. Guidance:
      1. Committee on National Security Systems Instruction 1253F, Security Categorization and Control Selection for National Security Systems, Attachment 6, “Privacy Overlay,” 2015
      2. Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs)
      3. National Archives and Records Administration (NARA) General Records Schedule (GRS) 3.2: Information Security Systems Records

10-5.2  ACRONYMS AND DEFINITIONS

  1. Acronyms.
    (1) CCBChange Control Board
    (2) C.E. (c.e.)Control Enhancement
    (3) CSIRT Cybersecurity Incident Response Team
    (4) CISO Chief Information Security Officer
    (5) CMConfiguration Management
    (6) DISDivision of Information Security
    (7) DISADefense Information Systems Agency
    (8) ETSEnterprise Technology Services
    (9) FIPSFederal Information Processing Standards
    (10) FISMAFederal Information Security Modernization Act
    (11) GRSGeneral Records Schedule
    (12) IEEEInstitute of Electrical and Electronics Engineers
    (13) IHMIndian Health Manual
    (14) IHSIndian Health Service
    (15) ISSO Information System Security Officer
    (16) ITInformation Technology
    (17) NARA National Archives and Records Administration
    (18) NIST National Institute of Standards and Technology
    (19) OCIOOffice of the Chief Information Officer
    (20) OITOffice of Information Technology
    (21) OMB Office of Management and Budget
    (22) PHI/PIIProtected Health Information/Personally Identifiable Information
    (23) P.L.Public Law
    (24) PUBPublication
    (25) SPSpecial Publication (NIST)
    (26) STIGSecurity Technical Implementation Guide
  2. Definitions.
    (1) Baseline Configuration. A set of specifications for a system, or configuration item within a system, that has been formally reviewed and agreed on at a given point in time, and which can be changed only through change control procedures. The baseline configuration is used as a basis for future builds, releases, and/or changes.
    (2) Configuration. The possible conditions, parameters, and specifications with which an information system or system component can be described or arranged.
    (3) Configuration Management. A collection of activities focused on establishing and maintaining the integrity of products and systems through control of the processes for initializing, changing, and monitoring the configurations of those products and systems throughout the system development life cycle.
    (4) Information System. A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

10-5.3  POLICY

In accordance with statutory, regulatory, and Agency requirements, the IHS IT systems and applications (e.g., hardware, software, firmware, documentation, or a combination thereof) must have a CM plan. This plan must include the minimum requirements, as defined below, in accordance with the designated system category.

This policy governs the implementation of Manual Exhibit 10-05-A, IHS Cybersecurity and Privacy Control Definitions: Configuration Management Controls and related CM controls.

10-5.4  PROCEDURES

The below security controls are used to baseline, track, and manage the configurations of the IHS information technology assets (e.g., hardware, software, firmware, documentation, or a combination thereof) as a critical component of system protections and risk management. These baseline measures must be managed and monitored on an ongoing basis.

The below security controls (i.e., standards and risk factors) are used to safeguard and protect the confidentiality, integrity, and availability of the IHS systems, networks, and information. These baseline measures establish principles for CM and will be managed and monitored on an ongoing basis. Many of the security controls listed below apply to systems categorized as High-, Moderate-, and Low-impact, in terms of the effect a security compromise would have on the Agency’s mission. Other controls apply only to Moderate- and/or High-impact systems. Manual Exhibit 10-05-A presents all of the NIST 800-53 CM controls with an overlay of the IHS and HHS specific assignments and additions. Personnel should refer to Manual Exhibit 10-05-A to implement the complete set of CM controls. Some controls include enhancements (c.e.’s) that are not specifically enumerated below. The c.e.’s are referenced for each procedure below and are specifically identified in Manual Exhibit 10-05-A, which is incorporated by reference into this policy.

The IHS will adhere to the following NIST 800-53 Rev 4, control requirements as revised by NIST and required by HHS:

  1. CM-1 Configuration Management Policy and Procedures. The IHS CIO is responsible for ensuring that the IHS meets Federal requirements to develop policies and procedures that govern implementation of Configuration Management and associated CM controls.
  2. CM-2 Baseline Configuration. Define, develop, document, and maintain a current baseline configuration for each information system under configuration control. Establish baseline configurations during the implementation phase of every system and review at least annually, or as required, such as due to upgrades, system modifications, and changes to organizational guidelines.

    This control is required for all systems. Moderate- or High-categorized systems must also meet CM-2 c.e.1, c.e.3, and c.e.7. In addition, High-categorized systems must also meet CM-2 c.e.2.

  3. CM-3 Configuration Change Control. Manage all system configurations by a change control process that ensures formal approval, documentation, record retention, and audit of changes, as well as automation of processes where possible. Coordinate and provide oversight for change control activities through Change Control Boards (CCBs) or other control bodies that convene at least monthly, or more frequently, as needed due to configuration change conditions.

    This control is not required for Low-categorized systems. Moderate- or High-categorized systems must also meet CM-3 c.e.2. In addition, High-categorized systems must also meet CM-3 c.e.1.

  4. CM-4 Security Impact Analysis. Prior to implementing changes to an information system, analyze the change for potential security and privacy impacts, and test the changes in a separate and commensurate test environment.

    This control is required for all systems. High-categorized systems must also meet CM-4 c.e.1.

  5. CM-5 Access Restrictions for Change. Define, document, approve, and enforce, through auditable system automation where possible, physical and logical access restrictions for modifying information system configurations. Audit configuration changes, as required by FISMA (2014) and OMB Circular A-130, to identify whether unauthorized changes have occurred.

    This control is not required for Low-categorized systems but is required for Moderate- and High-categorized systems. High-categorized systems must also meet CM-5 c.e.1, c.e.2, and c.e.3.

  6. CM-6 Configuration Settings. Establish, document, implement, and manage through auditable automation, where possible, configuration settings for IT products, per the DISA STIG and Security Requirements Guide applicable to the information system, to reflect the most restrictive mode consistent with operational requirements. Manage any deviations to required settings, including authorized and unauthorized changes, through established IHS procedures.

    This control is required for all systems. High-categorized systems must also meet CM-6 c.e.1 and c.e.2.

  7. CM-7 Least Functionality. Configure the information system to provide only essential capabilities and prohibit or restrict the use of high-risk programs, functions, ports, protocols, and/or services (e.g., Telnet, File Transfer Protocol). Audit systems at least annually to ensure non-secure functions are disabled.

    This control is required for all systems. Moderate-categorized systems must also meet CM-7 c.e.1, c.e.2, and c.e.4. High-categorized systems must also meet CM-7 c.e.1, c.e.2, and c.e.5.

  8. CM-8 Information System Component Inventory. Develop, document, and maintain an accurate and up-to-date inventory of information system components through automated mechanisms. Review the inventory at least annually, and at least every 180 days for High-categorized systems, to ensure that system components are accounted for and that unauthorized system components are detected and remediated.

    This control is required for all systems. Moderate- or High-categorized systems must also meet CM-8 c.e.1, c.e.3, and c.e.5. In addition, High-categorized systems must also meet CM-8 c.e.2 and c.e.4.

  9. CM-9 Configuration Management Plan. Develop, document, and implement a CM plan for the information system that defines configuration items, processes, and responsibilities. Protect the CM plan from unauthorized disclosure and modification, and review the plan on a monthly basis.

    This control is not required for Low-categorized systems but is required for Moderate- and High-categorized systems.

  10. CM-10 Software Usage Restrictions. Use software and associated documentation in accordance with contract agreements and copyright laws.

    This control is required for all systems.

  11. CM-11 User-Installed Software. Permit only approved roles to install software on government furnished equipment. Strictly prohibit unapproved users from installing software. Enforce software prohibition policies through User Account Control on all workstations and hosts, and monitor compliance with such policies at least monthly.

    This control is required for all systems.

10-5.5  RESPONSIBILITIES

Key personnel responsible for implementing the CM requirements are described below.

  1. Chief Information Security Officer. The Director, DIS, OIT, is designated by the IHS Chief Information Officer as the CISO, the Agency’s senior information security officer who directs and implements the IHS Cybersecurity Program. The CISO is responsible for ensuring cybersecurity-related CM requirements are implemented and compliant with Federal mandates.
  2. Area Director. The Area Director and their designees will support the Area IT Lead with the responsibility of ensuring the Area cybersecurity program funding and oversight.
  3. Change Control Board. The CCB is designated to review, control, and approve changes to a given application or system throughout its development and operational life cycle. The Board is responsible for:
    1. Reviewing proposed changes relating to IT infrastructure, hardware, software, and telecommunications. Approving/rejecting the implementation of the proposed change after considering the potential impact that a proposed change will have on production systems and ultimately the customer.
    2. Meeting monthly, or more often as necessary, to review all pending change tickets.
    3. Ensuring ample time is provided for customer notification when reviewing and approving the proposed implementation date.
  4. Cybersecurity Incident Response Team. The CSIRT responds to any malicious virus incidents and patch-related alerts. The CSIRT is responsible for:
    1. Auditing and reporting on the configuration and compliance of network devices.
    2. Defining response time for configuration alerts and remediation.
    3. Defining remediation actions for configuration incident types and responding to support requests for such incidents.
    4. Sending configuration remediation reports to the OIT ETS and Areas/facilities.
  5. Information System Security Officer. The ISSO serves as the Cybersecurity Program main point of contact for cybersecurity guidance and support for their assigned area and ensures the secure implementation and configuration of information systems. The ISSOs are responsible for reviewing audit and system log reports provided by system administrators and reporting any suspected cybersecurity incidents to the CSIRT for final action. Area ISSOs and their designees ensure required security activities are performed for systems under their authority. The ISSO responsibilities include:
    1. Reviewing and approving requests for system and computer access, software and hardware purchases.
    2. Reviewing information systems at least annually to ensure that unnecessary functions, ports, protocols, and/or services have been restricted, and that only essential capabilities are being used.
    3. Working with OIT to support and maintain the enterprise CM program locally.
    4. Responding with remediation steps in the event of a widespread zero-day patch release. This includes testing, validation, and preparation of deployment to local workstations and servers within eight business hours of patch release or recommended fix from OIT.
    5. Notifying the CSIRT when a configuration incident impacts the IHS network or data. Acknowledging and responding to the CSIRT and/or OIT/ETS within the defined response time regarding requests for configuration remediation action.
    6. Coordinating and assembling routine reports, per Area reporting requirements.
    7. Monitoring the client management system at the respective Area Office (including Headquarters OIT) by keeping current with the latest configurations and updates, and by monitoring overall system health (such as for slow system performance, incompatible client software, and network connectivity).
    8. Initiating the IHS incident response procedures for suspected cybersecurity incidents.
    9. Initiating the IHS privacy incident response procedures when a security incident appears to be a PHI/PII breach.
  6. Area Information System Coordinator. The Area Information System Coordinator ensures ownership is assigned for all IT resources within the operating unit (i.e., hardware, software, data, telecommunications, etc.).
  7. System Owner. System Owners are responsible for identifying and documenting configuration items, as follows:
    1. Establishing configuration item baselines at logical intervals and milestones.
    2. Ensuring change management procedures are followed throughout the system life cycle to include activities related to releases, delivery, operations, maintenance, support, and disposition.
    3. Adhering to and utilizing the IHS-approved automated tools to facilitate configuration, change, and release management.
    4. Ensuring proper impact analysis and coordination of affected systems or configuration items in release management.
    5. Conducting Privacy Threshold Analyses and Privacy Impact Analysis on their system(s), in coordination with the IHS Senior Official for Privacy.
  8. System/Network Administrator. The System Administrator is responsible for the effective provisioning, installation/configuration, operation, and maintenance of systems hardware and software and related infrastructure according to established system configuration definitions that are within the boundaries of support, based on the defined Tiered structure for the IHS. The System Administrator is responsible for:
    1. Notifying the respective ISSO and CSIRT of incidents that impact the IHS network and/or data owned or maintained by the IHS, and implementing incident response procedures when an incident occurs.
    2. Working closely with their ISSO, CSIRT, or other IHS Security Team to perform CM audits.
    3. Establishing appropriate logging mechanisms on all servers at the site/facility and ensuring auditing and logging are enabled and sufficient.
    4. Performing backups on a regular basis. Critical systems should be backed up at least daily.
    5. Verifying the functionality of hardware, and the integrity and reliability of the backup media and off-site storage.
    6. Identifying and maintaining availability of a local machine (server or workstation) to use as a site server for patch distribution files, and communicating this information to OIT/ETS.
    7. Testing all critical security patches against local standard system configurations within three business days of deployment to the local site server.
    8. Ensuring antivirus software and current updates are installed on every computing resource in the site/facility, including desktops, servers, and email gateways. This includes installing Microsoft and other third-party patches on all new Windows endpoints (servers and workstations) within the respective Area/facility before connecting the endpoints to the D1 domain.
    9. Assembling routine Area/facility patch management reports, utilizing the client management console, per Area/facility reporting requirements.
    10. Responding with remediation steps in the event of a widespread zero-day patch release. This includes testing, validation, and preparation of deployment to local workstations and servers within eight business hours of patch release or recommended fix from OIT.
  9. Management Officials. Managers ensure that all of the IHS CM policies and procedures are performed within their organizations by verifying audit data at any given time. This includes ensuring that users are restricted to accessing only the required information to perform their assigned job (“least privilege”). If a user experiences a change in job status (e.g., transfer, promotion, resignation), the manager confers with the appropriate IHS personnel to re-evaluate the user’s computer and system access and permissions.
  10. Office of Information Technology/Enterprise Technology Services. The OIT/ETS serves as the centralized enterprise service for design, configuration, and management of Area/Facility system environments and the entire enterprise client management environment. Specific OIT/ETS CM responsibilities include:
    1. Supporting enterprise antivirus and patch management services and ensuring compliance on all Windows endpoints (i.e., servers, workstations, and other devices as applicable) in the D1 domain.
    2. Testing and deploying critical patches within established timeframes.
    3. Providing support for all antivirus and patch-related issues and questions.
    4. Responding with remediation steps in the event of a widespread virus outbreak or zero-day patch release. This includes testing, validation, and preparation for deployment to local site servers within eight business hours of patch release or recommended fix from the vendor, or as determined by OIT (if applicable).
    5. Providing standard remediation actions.