Configuration Management Policy and Procedures
Configuration Management Policy for 18F
Agency Configuration Management Policy
The GSA CM policy is defined in the GSA IT Security Policy (CIO P 2100.1), which addresses purpose, scope, roles, responsibilities, and compliance for CM activities.
The GSA Office of the CISO is responsible for publishing the above documents to System Program Managers and Information System Security Officers and Managers (ISSO/Ms) on a centralized, agency-accessible website.
CM procedures are documented in the GSA IT Security Procedural Guide: Managing Enterprise Risks (CIO IT Security-06-30).
The 18F Program Office develops, documents, and disseminates to all 18F staff
The 18F configuration management policy which addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance and procedures to facilitate the implementation of the configuration management policy and associated configuration controls. The 18F security assessment and authorization policy is listed within its private GitHub repository https://github.com/18F/compliance-docs/blob/master/CM-Policy.md that is accessible to all 18F staff.
The GSA Office of the CISO is responsible for reviewing and updating the above documents annually, and notifying System Program Managers and Information System Security Officers and Managers (ISSO/Ms).
The 18F Program Office will review and update the current 18F configuration management policy at least every 3 years and any documented configuration procedures at least annually.