Introduction to Configuration Management

Background

The CMS Policy for Configuration Management, CMS-CIO-POL-MGT01-01, April 2012 (hereafter simply “CMS CM Policy”) formalizes the management and control of CMS’s inventory of IT assets in a disciplined manner to ensure their integrity and availability to support the CMS mission.

Toward that end, CMS has tailored or customized the ISO / IEC 12207 standard, Software Life Cycle Processes, to meet CMS’s specific needs, and documented these processes in the CMS Target Life Cycle framework.

As CMS implements components of this IT Modernization, it needs policies, standards, charters, processes, and procedures for planning, managing, governing, executing, and controlling the enterprise CM process.

Purpose

This Configuration Management (CM) chapter establishes business rules and recommended practices for IT configuration management of the CMS enterprise. CM processes are both managerial and technical activities. The contents of this chapter apply to both disciplines as appropriate. As noted in the CMS CM Policy, these business rules cover the automated systems, software applications and products, supporting hardware and software infrastructure, as well as contractor deliverables, associated documentation, and services that are used behalf of CMS. The business rules expressed in this chapter support the Agency’s CM framework and provide guidance to the CMS enterprise for applying and developing CM plans, processes, and procedures that describe the effective management and implementation of CM practices within CMS.

This chapter integrates modern configuration management practices from the DevOps movement with traditional practices defined in the IT Infrastructure Library (ITIL). This allows CM projects to begin adoption from familiar concepts and terminology.

Scope

This chapter represents the required standards for conducting CM activities performed by CMS and CMS contractor partners across all CMS Processing Environments. The guidance stated in this chapter reflects the CMS agreed-upon industry and government best practices to support the most viable approach for CMS that meets legislatively mandated security and privacy requirements as well as current technical standards and specifications.

In concert with the CMS CM Policy, the concepts, strategies, business rules, and recommended practices in this chapter promote the alignment of IT activities and IT assets owned or controlled by CMS, including those of CMS’s agents, contractors, or other business partners when acquired or supported by CMS funding. Accordingly, this chapter applies to all hardware, software, supporting infrastructure, services, interfaces, data, and associated documentation—regardless of origin, nature, or location (e.g., contractor, in-house, development, operations, internal and external systems, and all hosting data centers)—unless otherwise specified.

Compliance with Existing Federal, HHS, and CMS Policies

The CM provisions of the following documents supersede this chapter. CMS projects need to comply with these CM provisions as appropriate, especially those associated with system-level infrastructure CM.

The following configuration standards are mandatory for devices and systems:

Note: The foregoing three citations form standard security baselines against which compliance is tracked and monitored. These are systems engineering responsibilities. This is different from configuration management at a project level where the goal is controlled evolution driven by business goals.