TABLE OF CONTENTS ISC remains deeply apologetic that prior versions of BIND did not properly catch the configuration error that you appear to have built your business on.
Paul Vixie, author of various RFCs
A Configuration Management Plan shows evidence that software changes, including code, operating systems settings, and application configurations, are known and tracked. The settings and configurations that are known and tracked should include the technical security controls. The Configuration Management Plan is a living document and should be updated through the life cycle of the systems that it references.
Some agencies may have one global Configuration Management Plan for the entire agency, and other agencies may develop Configuration Management Plans at the bureau or project level. If your organization actively contributes to an agency-wide Configuration Management Plan by sending in regular updates, you can likely use that Configuration Management Plan for your C&A package.
Before starting to write a Configuration Management Plan, find out if your group or department already participates in updating an existing one. If one does exist, you can use it for your C&A package as long as assets from your hardware and software inventory of your C&A package are named and tracked in that plan. If you are unsure if an existing Configuration Management Plan will be acceptable, schedule a meeting with the evaluation team and present them with your questions. They should be able to give you guidance before you start working on your Configuration Management Plan
