AT&T Cybersecurity – Free and Commercial Tools to Implement the CIS Security Controls, Part 10 &11;: Secure Configurations & Control for Network
3.4 3.4.2 Configuration Management
https://cybersecurity.att.com/blogs/security-essentials/free-and-commercial-tools-to-implement-cis-security-controls-secure-config-control-for-network
This article lists free and commercial tools that a company can use to help comply with CIS Controls 10 and 11.
AT&T Cybersecurity – Inventory of Authorized and Unauthorized Software
3.4 3.4.8
https://cybersecurity.att.com/blogs/security-essentials/free-and-commercial-tools-to-implement-the-sans-top-20-security-controls-part-2
This list provides a list of free and commercial tools that can help with software inventory management (e.g., blacklisting, whitelisting, unauthorized software identification).
https://hr.berkeley.edu/sites/default/files/change_management_toolkit.pdf
This document provides tips, tools, and techniques for leading a successful change initiative
Canadian Centre for Cyber Security – Guidance for Hardening Microsoft Windows 10 Enterprise
3.4 3.4.6 Configuration Management
https://www.cyber.gc.ca/en/guidance/guidance-hardening-microsoft-windows-10-enterprise-itsp70012
This document provides guidance on Microsoft security features and tools that can be used to harden Windows 10 Enterprise Edition.
https://www.cisecurity.org/cis-benchmarks
This is a summary page for the 140+ configuration guidelines for various technology groups to safeguard systems developed by CIS.
https://www.cm-alliance.com/consultancy/security-change-management
Cyber Management Alliance is company that offers consulting services for change management specifically security change management.
Department of Homeland Security – Application Whitelisting (AWL): Strategic Planning Guide
3.4 3.4.8 Configuration Management
https://www.cisa.gov/sites/default/files/cdm_files/FNR_NIS_OTH_AWL_Strategic_Planning_Guide.pdf
This document highlights and summarizes the types of choices, and the related decisions, that need to be made prior to starting the planning process.
https://public.cyber.mil/stigs/
The Security Technical Implementation Guides (STIGs) are the configuration standards for DOD IA and IA-enabled devices/systems. The STIGs contain technical guidance to “lock down” information systems/software that might otherwise be vulnerable to a malicious computer attack.
DoD Instruction 8551.01 – Ports, Protocols, and Services Management (PPSM)
3.4 3.4.7 Configuration Management
https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/855101p.pdf
DoD Instruction 8551.01 Ports, Protocols, and Services Management (PPSM) standardizes procedures to catalog, regulate, and control the use and management of protocols in the Internet protocol suite, and associated ports (also known as protocols, data services, and associated ports or ports, protocols, and services); also referred to as PPS on DoD information networks (DODIN) including the connected information systems, platform information technology (IT) systems, platform IT (PIT), and products based on the potential that unregulated PPSM can damage DoD operations and interests and applies to all PPS used throughout planned, newly developed, acquired, and existing DODIN (whether used internal or external to the enclave), which include DoD Information Technology (IT).
Environmental Protection Agency – Configuration Management Procedures
3.4 3.4.7 Configuration Management
https://www.epa.gov/system/files/documents/2022-09/configuration_management_procedure.pdf
The purpose of this procedure is to facilitate the implementation of security control requirements for the Configuration Management control family, as identified in NIST SP 800-53.