The IT Law Wiki


Configuration control is the

[p]rocess for controlling modifications to hardware, firmware, software, and documentation to protect the information system against improper modifications before, during, and after system implementation.[1]
[a]n element of configuration management, consisting of the evaluation, coordination, approval or disapproval, and implementation of changes to configuration items after formal establishment of their configuration identification.[2]


"Configuration control helps protect against unauthorized or malicious alteration of a system and thus provides assurance of system integrity."[3]


  1. CNSSI 4009, at 32; NIST Special Publication 800-53.
  2. Information Technology: An Audit Guide For Assessing Acquisition Risks, Glossary, at 90.
  3. IETF Network Working Group, Internet Security Glossary, Version 2 (RFC 4949) (Aug. 2007).