Configuration Management is the process of maintaining systems, such as computer hardware and software, in the desired state. Configuration Management (CM) is also a method of ensuring that systems perform in a manner consistent with expectations over time.
Originally developed in the US military and now widely used in many different kinds of systems, CM helps identify systems that need to be patched, updated, or reconfigured to conform to the desired state. CM has often used with IT service management as defined by the IT Infrastructure Library (ITIL).
CM is a managerial discipline that aims to provide for the consistency and accuracy of product knowledge throughout its lifecycle and – for the same purpose – it is being used to different extents in most organizations. The primary objective of CM is to ensure that in all the phases of the product lifecycle, changes to product components (such as requirements, design and “as-made” information for both software and hardware aspects, whether they are related to the facility itself or to the telerobotics means) are assessed and approved before being implemented, recorded and traced after implementation. In other words, CM guarantees that facilities, including all the
systems, equipment and components, are accurately described all the time.
Configuration Management helps prevent undocumented changes from working their way into the environment. By doing so, CM can help prevent performance issues, system inconsistencies, or compliance issues that can lead to regulatory fines and penalties. Over time, these undocumented changes can lead to system downtime, instability, or failure.
Implementing effective CM processes not only improves safety in organizations but also has a direct positive impact on return on investment, product lifecycle costs, on-time deliveries and product quality
Performing these tasks manually is too complex in large systems. Software configuration management can involve hundreds or thousands of components for each application, and without proper documentation, IT organizations could easily lose track of which systems require attention, what steps are necessary to remediate problems, what tasks should be prioritized and whether changes have been validated and propagated throughout the system
CM is a discipline providing
Assurance that the configuration of a product is known and reflected in product information
Verification that product change is beneficial and effected without adverse consequences
Proof that a change is managed from idea inception to incorporation into all affected items
Properly applied, CM:
Serves both provider (developer, producer, supplier) and user (customer) of a product
Facilitates product support and product maintenance
Is a Cost Avoider not a Cost Driver
How does Configuration Management work?
The configuration management process begins with gathering information including configuration data from each application and the network topology. Secrets such as encryption keys and passwords should be identified so they can be encrypted and stored safely. Once collected, configuration data should be loaded into files that become the central repository of the desired state – the single version of the truth.
Once data has been collected the organization can establish a baseline configuration, which should be a known good configuration that can perform its intended operations without bugs or errors. Typically this baseline is established by noting the configuration of the working production environment and storing those configuration settings as the baseline.
When the baseline has been established, the organization should adopt a version control system. Many organizations utilize Git to create a repository of configuration data for this purpose.
Auditing and accounting help to ensure that any changes that are applied to the configuration are reviewed by stakeholders and accepted, ensuring accountability and visibility into configuration changes.
CM in Standards
ISO/IEC 12207 includes a CM definition and focuses on the importance of defining a CM strategy and policy to include the description of authorities for decision-making and change control, as well as methodologies and storage processes to be used for the CM system.
The CM activities defined in this standard are abstract and limited to the general steps of planning and execution. In the execution part, organizations are recommended to maintain configuration information with an appropriate level of integrity and to ensure the changes to the baselines are properly identified, evaluated, approved, incorporated and verified. For further information, this standard refers to ISO 10007.
In standard ISO 10007:2003, CM and its functionalities are defined. This standard is developed to provide a better understanding of the subject to organizations, to promote the use of CM and to assist organizations in applying this discipline. Similar to most of the standards, the information is very abstract in that there is only a brief description of the subject and the terminology, responsibilities and authority requirements and the process itself. According to this standard, the CM process comprises the main five stages of planning, identification, change control, status accounting and auditing, as introduced earlier in this paper.
This standard provides a more detailed description of what is expected in a CM plan. This demonstrates the importance of having a CM strategy and policy together with a clear set of defined roadmaps and methodologies, as well as clearly defined responsibilities and powers to
be used in each process stage.
Configuration Management ANSI/EIA-649 Functions and Principles
This document applies to hardware and software and provides CM requirements to be placed on contracts after being tailored by the Acquirer. The requirements have been organized by the following five CM functions.
The CM process is comprised of five (5) CM functions and their CM principles that together provide a flexible implementation structure. The CM process is used to provide consistency between product requirements, product configuration information and product attributes.
The five CM functions are;
1) Configuration Management Planning and Management Applies appropriate processes and tools to establish and maintain consistency between the product and the product requirements and attributes defined in product configuration information. Ensures that products conform to their requirements and are identified and documented in sufficient detail to support the product life cycle.
2) Configuration Identification: Assures accurate product configuration information and enables product interchangeability and safe product operation and maintenance to be achieved. Facilitates orderly identification of product attributes and provides control of product information and product changes used to improve capabilities; correct deficiencies; improve performance, reliability, or maintainability; extend product life; or reduce cost, risk or liability
3) Configuration Change Management
4) Configuration Status Accounting, and
5) Configuration Verification & Audit
EIA-649-1 Configuration Management Requirements for Defense Contracts
The US military standard EIA-649-B, which replaces the old MIL-STD-973, covers CM principles and practices more comprehensively. The importance of using a clear set of terminology for CM
is acknowledged and followed in this standard.
EIA-649-B proposes the following main activities to be followed by organizations in CM planning
• Implementing policies and procedures, resulting in effective product CM.
• Assigning CM functional responsibilities to various organizational elements.
• Training of CM personnel and any others who have CM responsibilities.
• Determining and applying adequate resources, including CM software tools and facilities.
• Establishing CM performance indicators to serve as a basis for continuous improvement.
• Ensuring the performance of CM by suppliers.
• Integrating the organization’s product configuration information processes.
ANSI/EIA-649-B and other standards, including MIL-STD-3046 and DoD addenda
to ISO/IEC/IEEE 15288, “Systems and Software Engineering–System Life Cycle Processes,” influenced the development of EIA-649-1.
This document defines configuration management requirements which are to be applied, based on program needs, in contracts with suppliers for products and/or their designs during the contract period of any Configuration Item (CI) which meets the following criteria:
a. Developed wholly or in part with Acquirer funds, including nondevelopmental items when the development of technical data is
required to support the products or services being acquired or
b. Designated for configuration management for reason of integration,
logistics support or interface controls.
The foreword to the EIA-649-1 further emphasizes the standard’s purpose and inherent
linkage to EIA-649-B:
This document defines requirements for a Defense enterprise implementation of the American National Standards Institute/Electronics Industry
Association, ANSI/EIA-649 in an Acquirer/Supplier contractual relationship.
The requirements are intended to be tailored by the Acquirer and cited in contracts or similar agreements with Suppliers to establish requirements for Configuration Management tasks consistent with ANSI/EIA-649 and each of its functions and principles.
Unless otherwise indicated, the requirements described herein apply to both hardware and software systems
It is the responsibility of the Acquirer to determine the specific needs for their respective programs and ensure that their contracts or agreements sufficiently communicate those requirements.
This standard also applies when other types of agreements exist, such as agreements between government organizations who play the roles of acquirer and supplier.
Finally, this document is intended to be used as a stand-alone reference, invoked on a contract where the acquirer intends to be consistent with ANSI/EIA-649 Principles, and may be used for Department of Defense (DoD) programs in all phases of the acquisition life cycle.
Even though EIA-649-1 is intended to satisfy DoD contracting requirements, this CM standard applies to any commercial or government enterprise engaged in acquirer/supplier CM activities