April 20, 2010

Security Configuration Management with NIST SP800-128
by Kelley L. Dempsey

Abstract
NIST Special Publication (SP) 800-128 provides guidelines for managing the configuration of information system architectures and associated components for secure processing, storing, and transmitting of information. Security configuration management is an important function for establishing and maintaining secure information system configurations, and provides important support for managing organizational risks in information systems.

NIST SP 800-128 identifies the major phases of security configuration management and describes the process of applying security configuration management practices for information systems including: (i) planning security configuration management activities for the organization; (ii) planning security configuration management activities for the information system; (iii) configuring the information system to a secure state; (iv) maintaining the configuration of the information system in a secure state; and (iv) monitoring the configuration of the information system to ensure that the configuration is not inadvertently altered from its approved state.

The security configuration management concepts and principles described in NIST SP 800-128 provide supporting information for NIST SP 800-53, Revision 3, Recommended Security Controls for Federal Information Systems and Organizations that include the Configuration Management family of security controls and other security controls that draw upon configuration management activities in implementing those controls. This publication also provides important supporting information for the Monitor Step (Step 6) of the Risk Management Framework that is discussed in NIST SP 800-37, Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach."

About the Speaker                                                                             
Kelley Dempsey began her career in IT in 1986 as an electronics technician repairing PCs and printers before moving on to system administration and network management in the mid-1990s.  While employed by the Department of the Navy in 1999, she began focusing on information system security by training for and then conducting a large scale DITSCAP certification and accreditation from start to finish.  Kelley and her husband moved east in the spring of 2001 and Kelley joined the NIST operational Information Security team, managing the NIST information system certification and accreditation program through September 2008.  Kelley joined the NIST Computer Security Division FISMA team in October 2008 and has co-authored the upcoming initial public draft of NIST SP 800-128 (Security Configuration Management) and has been a major contributor to NIST SPs 800-53 Rev 3 and 800-37 Rev 1.  Kelley completed a B.S. degree in Management of Technical Operations from Embry-Riddle Aeronautical University, graduating cum laude in December 2003 and earned a CISSP certification in June 2004. 

April 20, 2010 6:30 PM

George Washington University
801 22nd Street NW
Room B149 (One floor below lobby)
Washington, DC 20052
View details

Please RSVP if you plan to attend.