Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

NIST SP 800-128

Guide for Security-Focused Configuration Management of Information Systems

Date Published: August 2011 (includes updates as of 10-10-2019)

Supersedes: SP 800-128 (08/12/2011)


L. Johnson (NIST), Kelley Dempsey (NIST), Ron Ross (NIST), Sarbari Gupta (Electrosoft Services), Dennis Bailey (Electrosoft Services)



Configuration management; information systems; security program; risk management framework; security-focused continuous monitoring; SecCM; control; monitoring; security content automation protocol (SCAP)
Control Families

Configuration Management


Download URL

Supplemental Material:
None available

Document History:
10/10/19: SP 800-128 (Final)