Special Publication 800-137 Information Security Continuous Monitoring for
Federal Information Systems and Organizations
APPENDIX D PAGE D-8
Identity and account configuration management tools allow an organization to manage
identification credentials, access control, authorization, and privileges. Identity management
systems may also enable and monitor physical access control based on identification credentials.
Identity and account configuration management tools often have the ability to automate tasks
such as account password resets and other account maintenance activities. These systems also
monitor and report on activities such as unsuccessful login attempts, account lockouts, and
resource access.
There are a wide variety of configuration management tools available to support an
organization’s needs. When selecting a configuration management tool, organizations should
consider tools that can pull information from a variety of sources and components. Organizations
should choose tools that are based on open specifications such as SCAP; that support
organization-wide interoperability, assessment, and reporting; that provide the ability to tailor and
customize output; and that allow for data consolidation into SIEM tools and management
dashboards.
The implementation and effective use of configuration management technologies can assist
organizations in automating the implementation, assessment, and continuous monitoring of
several NIST SP 800-53 security controls including AC-2, Account Management; AC-3, Access
Enforcement; AC-5, Separation of Duties; AC-7, Unsuccessful Login Attempts; AC-9, Previous
Logon (Access) Notification; AC-10, Concurrent Session Control; AC-11, Session Lock; AC-19,
Access Control for Mobile Devices; AC-20, Use of External Information Systems; AC-22,
Publicly Accessible Content; CA-2, Security Assessments; CA-7, Continuous Monitoring; CM-2,
Baseline Configuration; CM-3, Configuration Change Control; CM-5, Access Restrictions for
Change; CM-6, Configuration Settings; CM-7, Least Functionality; IA-2, Identification and
Authentication (Organizational Users); IA-3, Device Identification and Authentication; IA-4,
Identifier Management; IA-5, Authenticator Management; IA-8, Identification and Authentication
(Non-Organizational Users); IR-5, Incident Monitoring; MA-5, Maintenance Personnel; PE-3,
Physical Access Control; RA-3, Risk Assessment; SA-7, User Installed Software; SA-10,
Developer Configuration Management; and SI-2, Flaw Remediation. Organization-wide security
configuration management and engineering technologies may also provide supporting data to
assist organizations in responding to higher-level compliance reporting requirements in the areas
of configuration and asset management.
D.1.6
NETWORK MANAGEMENT
Network configuration management tools include host discovery, inventory, change control,
performance monitoring, and other network device management capabilities. Some network
configuration management tools automate device configuration and validate device compliance
against pre-configured policies. Network management tools may be able to discover unauthorized
hardware and software on the network, such as a rogue wireless access point.
The implementation and effective use of network management technologies can assist
organizations in automating the implementation, assessment, and continuous monitoring of
several NIST SP 800-53 security controls including AC-4, Information Flow Enforcement; AC-
17, Remote Access; AC-18, Wireless Access; CA-7, Continuous Monitoring; CM-2, Baseline
Configuration; CM-3, Configuration Change Control; CM-4, Security Impact Analysis; CM-6,
Configuration Settings; CM-8, Information System Component Inventory; SC-2, Application
Partitioning; SC-5, Denial of Service Protection; SC-7, Boundary Protection; SC-10, Network
Disconnect; SC-32, Information System Partitioning; and SI-4, Information System Monitoring.