A.8.9 — Is configuration management formal: hardened baselines, drift detection? (NEW in 2022)
Demonstrate that the organization maintains documented hardened baseline configurations for all system types, employs automated drift detection to identify unauthorized changes, and remediates configuration deviations through formal processes.
Description
What this control does
Configuration management for information systems requires formally defined hardened baseline configurations, automated drift detection mechanisms, and remediation processes. Organizations establish secure configuration standards (e.g., CIS Benchmarks, vendor hardening guides) for operating systems, databases, network devices, and applications, then deploy tools to continuously monitor deployed assets against these baselines. When deviations occur—whether from unauthorized changes, configuration drift, or security policy violations—automated alerts trigger investigation and remediation workflows to restore compliant states.
Control objective
What auditing this proves
Demonstrate that the organization maintains documented hardened baseline configurations for all system types, employs automated drift detection to identify unauthorized changes, and remediates configuration deviations through formal processes.
Associated risks
Risks this control addresses
- Attackers exploit default credentials, unnecessary services, or insecure protocol settings left in place due to absence of hardened baselines
- Configuration drift over time weakens security posture as ad-hoc changes accumulate without review or reversal
- Insider threats or compromised accounts make unauthorized system changes that remain undetected without drift monitoring
- Compliance violations occur when systems deviate from regulatory requirements (PCI DSS, HIPAA, FedRAMP) without detection
- Incident response and forensics are hindered when baseline configurations are undocumented and deviations cannot be identified
- Vulnerability exploitation increases when security patches are reversed or security settings disabled through uncontrolled configuration changes
- Inconsistent configurations across asset inventory create security gaps and prevent scalable security controls
Testing procedure
How an auditor verifies this control
- Obtain the organization's configuration management policy and procedures, including defined roles, approval workflows, and baseline update processes
- Request documented hardened baseline configurations for a representative sample of asset types (Windows servers, Linux servers, network switches, databases, cloud instances)
- Verify baselines reference authoritative hardening standards such as CIS Benchmarks, DISA STIGs, vendor-specific hardening guides, or custom security requirements with documented rationale
- Identify the configuration drift detection tools deployed (e.g., configuration management platforms, vulnerability scanners with compliance modules, cloud-native drift detection services)
- Review configuration scan results or compliance reports from the past 90 days, noting detected deviations, severity classifications, and drift frequency patterns
- Select five identified configuration drift incidents and trace each through remediation workflow, verifying ticketing, root cause analysis, correction activities, and approval records
- Execute a live drift detection test by requesting a sample system scan and comparing current configuration against documented baseline to verify tool effectiveness
- Interview system administrators and configuration management tool operators to validate understanding of baseline maintenance, exception approval processes, and escalation procedures for critical deviations