The NRL IS Security Course Handbook

What is Our IS Configuration Management Role?

The Navy applies IS configuration management as a quality- assurance function. The requirements for trusted systems are taken directly from DoDD 5200.28. One of the control objectives is to assure that the security policy has been implemented correctly by a particular IS, and that the system's protection-relevant elements accurately enforce the intent of that policy. This assurance must include a guarantee that the trusted portion of the system works only as intended.
To accomplish these objectives, the IS Security Manual specifies that two types of assurance are needed:

"They are life-cycle assurance and operational assurance. Life-cycle assurance refers to steps taken by an organization to ensure that the system is designed, developed, and maintained using formalized and rigorous controls and standards. Computer systems that process and store sensitive or classified information depend on the hardware and software to protect that information. It follows that the hardware and software themselves must be protected against unauthorized changes that could cause protection mechanisms to malfunction or be bypassed completely."

Reevaluation is necessary whenever changes are made that could affect the integrity of the protection mechanisms. With proper security evaluation and control functions in place, the Navy feels that the hardware and software interpretation of the security policy will remain accurate and undistorted for a particular IS.
The Navy has developed an extensive IS security configuration management program, based on the requirements of DoDD 5200.28. Included below is a relevant section from Chapter 26 of the Navy's IS Security Manual.

"26.1 General. Configuration Management is that part of security concerned with the management of changes made to an Information System (IS) throughout the development and operational life of the system. Configuration Management protects a system against unauthorized modifications and ensures that all the properties of a system are maintained after an authorized modification. Configuration Management provides both control and accountability for all modifications made to a system."