NIST SP 800-128

United States

v2011

10 domains

39 controls

Guide for Security-Focused Configuration Management

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (10)

Controlling Configuration Changes

6 controls

Controls in the Controlling Configuration Changes domain of NIST SP 800-128 — 6 controls
Code	Title	Description
SecCM-CHANGE-1	Configuration Change Control Process	Establish a formal change control process requiring submission, review, approval, implementation, verification, and clos...
SecCM-CHANGE-3	Access Restrictions for Change	Define, document, and enforce physical and logical access restrictions associated with changes to information systems in...
SecCM-CHANGE-4	Testing and Validation	Test configuration changes in a representative non-production environment to validate functionality and security before...
SecCM-CHANGE-5	Retention of Configuration Records	Retain previous versions of baseline configurations and change records for a defined period to support rollback, forensi...
SecCM-CHANGE-6	Automated Change Control Tools	Use automated tools such as configuration management databases, version control systems, and SCAP-enabled scanners to en...
SecCM-CHANGE-7	Emergency Change Handling	Define an expedited process for emergency configuration changes that bypasses routine CCB review but requires retrospect...

Identifying & Implementing Configurations

5 controls

Controls in the Identifying & Implementing Configurations domain of NIST SP 800-128 — 5 controls
Code	Title	Description
SecCM-ID-1	Configuration Item Identification	Identify and document the configuration items subject to SecCM including hardware, operating systems, applications, firm...
SecCM-ID-2	Baseline Configuration Development	Develop, document, and maintain a current baseline configuration for each configuration item that records approved setti...
SecCM-ID-3	Common Secure Configurations	Adopt common secure configurations from authoritative sources such as USGCB, DISA STIGs, CIS Benchmarks, or vendor secur...
SecCM-ID-4	Least Functionality	Configure systems to provide only essential capabilities by disabling unused services, ports, protocols, and software, a...
SecCM-ID-5	Implementation and Provisioning	Implement approved baselines through automated provisioning, golden images, infrastructure-as-code templates, or scripte...

Monitoring

8 controls

Controls in the Monitoring domain of NIST SP 800-128 — 8 controls
Code	Title	Description
SecCM-MONITOR-1	Continuous Monitoring of Configurations	Establish continuous monitoring of configuration items to detect deviations from approved baselines using automated scan...
SecCM-MONITOR-2	Configuration Drift Detection	Compare actual system configurations against approved baselines on a defined cadence to identify drift, unauthorized cha...
SecCM-MONITOR-3	Vulnerability Identification and Remediation	Identify vulnerabilities arising from configuration weaknesses, missing patches, or end-of-life software through scannin...
SecCM-MONITOR-4	Compliance Reporting	Produce regular compliance reports showing configuration posture against baselines, benchmark scores, drift counts, and...
SecCM-MONITOR-5	Unauthorized Change Detection	Detect and respond to unauthorized configuration changes through file integrity monitoring, registry monitoring, change...
SecCM-MONITOR-6	Metrics and Measurement	Define and collect SecCM metrics covering baseline adoption rate, change approval cycle time, drift volume, vulnerabilit...
SecCM-MONITOR-7	Feedback into Baselines	Use monitoring findings to refine baseline configurations, update common secure configurations, retire obsolete settings...
SecCM-MONITOR-8	Audit and Independent Assessment	Subject SecCM activities to periodic independent assessment to verify policy adherence, baseline accuracy, change record...

NIST SP 800-128: Access Control

5 controls

Logical and physical access controls (NIST SP 800-128)

Controls in the NIST SP 800-128: Access Control domain of NIST SP 800-128 — 5 controls
Code	Title	Description
SP800-128-ACCESS-RESTRICT	Access Restrictions for Change	Define, document, approve, and enforce physical and logical access restrictions associated with changes to the informati...
SP800-128-BASELINE	Baseline Configuration	Develop, document, and maintain an approved baseline configuration of the information system as a basis for future build...
SP800-128-CHANGE-CONTROL	Configuration Change Control	Control changes to the baseline configuration through documented requests, approvals, testing, and tracking.
SP800-128-MONITORING	Configuration Monitoring	Assess and report on the configuration of the information system and identify and address unauthorized or undesirable co...
SP800-128-SIA	Security Impact Analysis	Analyze changes to the information system to determine potential security impacts prior to change implementation.

NIST SP 800-128: Asset Management

5 controls

Information asset management (NIST SP 800-128)

Controls in the NIST SP 800-128: Asset Management domain of NIST SP 800-128 — 5 controls
Code	Title	Description
SP800-128-CCB	Configuration Control Board	A board with responsibility for reviewing and approving proposed changes to the configuration baseline, including their...
SP800-128-CONFIG-ITEMS	Configuration Items	Identify the configuration items, the system components placed under configuration management and treated as a single en...
SP800-128-INVENTORY	Component Inventory	Develop and maintain an inventory of the information system components that comprise the system and are subject to confi...
SP800-128-PLAN-DOC	Configuration Management Plan	A comprehensive plan describing the SecCM roles, responsibilities, processes, and procedures applied to a system through...
SP800-128-SECURE-CONFIG	Secure Configurations of Information Systems	Establish secure configuration settings that reflect the most restrictive mode consistent with operational requirements.

NIST SP 800-128: Communications Security

0 controls

Network and communications security (NIST SP 800-128)

NIST SP 800-128: Cryptography

0 controls

Cryptographic controls (NIST SP 800-128)

NIST SP 800-128: Information Security Policies

5 controls

Organizational information security policies (NIST SP 800-128)

Controls in the NIST SP 800-128: Information Security Policies domain of NIST SP 800-128 — 5 controls
Code	Title	Description
SP800-128-PH-CONTROL	SecCM Phase: Controlling Configuration Changes	Manage changes to the baseline configuration through an analyzed, documented, and approved change control process.
SP800-128-PH-IDENTIFY	SecCM Phase: Identifying and Implementing Configurations	Develop, review, approve, and implement secure baseline configurations for information systems and their components.
SP800-128-PH-MONITOR	SecCM Phase: Monitoring	Validate that the system is adhering to organizational policies, procedures, and the approved secure baseline configurat...
SP800-128-PH-PLAN	SecCM Phase: Planning	Develop a configuration management plan, policy, and procedures, and establish the configuration control board to govern...
SP800-128-POLICY	Configuration Management Policy and Procedures	Establish the SecCM policy and procedures that address purpose, scope, roles, responsibilities, and compliance.

NIST SP 800-128: Operations Security

0 controls

Secure operations and monitoring (NIST SP 800-128)

Planning

5 controls

Controls in the Planning domain of NIST SP 800-128 — 5 controls
Code	Title	Description
SecCM-PLAN-1	SecCM Policy and Procedures	Establish, document, and disseminate organization-wide security-focused configuration management policy and supporting p...
SecCM-PLAN-2	SecCM Plan	Develop a SecCM Plan documenting the strategy, roles and responsibilities, configuration items in scope, baseline config...
SecCM-PLAN-3	Roles and Responsibilities	Define and assign SecCM roles including Information System Owner, Information System Security Officer, Configuration Con...
SecCM-PLAN-4	Integration with Organizational CM	Coordinate SecCM activities with broader enterprise configuration management, asset management, change management, and r...
SecCM-PLAN-5	Tools, Techniques, and Resources	Identify and document the automated tools, repositories, and resources required to support SecCM activities including co...

Maps to 1 other framework

39 total controls

NIST SP 800-53 Rev 5

21 source controls mapped|9 target controls covered

54%

Compare NIST SP 800-128 with NIST SP 800-53 Rev 5

Frequently Asked Questions

What is NIST SP 800-128?

NIST SP 800-128 is a compliance framework from United States with 10 domains and 39 controls. Guide for Security-Focused Configuration Management It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does NIST SP 800-128 have?

NIST SP 800-128 has 39 controls organised across 10 domains. The largest domains are Monitoring (8 controls), Controlling Configuration Changes (6 controls), Identifying & Implementing Configurations (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does NIST SP 800-128 map to?

NIST SP 800-128 maps to 1 other compliance frameworks. The top mapping partners are NIST SP 800-53 Rev 5 (54% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with NIST SP 800-128 compliance?

Start your NIST SP 800-128 compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST SP 800-128 requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 39 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.

Get Started Free →

Free forever — no credit card required