KSI-SVC-ACM—Automating Configuration Management
Formerly KSI-SVC-04
>Control Description
>NIST 800-53 Controls
>Trust Center Components3
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express asset management through automated discovery dashboards — CMDB platforms maintaining real-time asset inventories, configuration baseline compliance tracked as a metric, and unauthorized asset detection triggering automated alerts. The asset inventory becomes a continuously updated trust center feature rather than a periodic manual reconciliation.
Asset Inventory Dashboard
Dashboard expressing asset management posture — inventory completeness, unauthorized assets, and configuration compliance as live indicators
Configuration Management Architecture
Architecture expressing how configurations are managed, baselined, and monitored for drift
Asset and Configuration Management Policy
Human-readable policy for asset inventory, configuration management, and CMDB maintenance — documents intent behind automated discovery
>Programmatic Queries
CLI Commands
terraform plan -detailed-exitcode -no-colorterraform state list>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •What percentage of machine-based information resources are managed through automated configuration management, and which resource types are excluded?
- •Does automated configuration management cover all resource categories — compute, containers, networking, storage, managed services, and security tooling?
- •Are resources that cannot be managed through automation documented with compensating controls, and is there a plan to bring them under automation?
- •How do you ensure configuration standards enforced by automation cover security hardening, compliance requirements, and operational best practices?
Automation & Validation:
- •How do you detect configuration drift between the automated desired state and the actual running configuration, and what is the remediation SLA?
- •What happens if the configuration automation tool itself fails or applies an incorrect configuration — how is the failure detected and rolled back?
- •What automated validation runs after configuration is applied to confirm the resource is in the correct state and functioning properly?
- •How do you test configuration changes in non-production environments before applying them to production through automation?
Inventory & Integration:
- •What configuration management tools are in use (Ansible, Chef, Puppet, Terraform, cloud-native config services), and how do they coordinate across resource types?
- •How does your configuration management system integrate with your asset inventory to confirm every resource has an assigned configuration policy?
- •Are configuration definitions stored as code in version control with change review and approval workflows?
- •How does configuration management integrate with your SIEM and change logging to track all configuration changes?
Continuous Evidence & Schedules:
- •How do you demonstrate that automated configuration management has been active and effective over the past 90 days?
- •Is configuration compliance data (drift counts, remediation times, coverage percentage) available via API or dashboard?
- •What evidence shows configuration drift detection and remediation is continuous rather than periodic?
- •How do you measure and demonstrate that configuration management coverage is increasing over time?
Update History
Ask AI
Configure your API key to use AI features.