Software configuration management in a commercial context is largely synonymous with version control. In defense programs, version control is the least of your SCM obligations. The real discipline encompasses formal baseline establishment, a functioning Change Control Board, documented engineering change proposals, configuration status accounting reports, and configuration audits that a government representative must be able to walk into and verify. Miss any of those elements and you risk contract findings, schedule slips at system integration, and failed audits that stop deliveries. This guide covers each element in sequence — what it means, how to implement it correctly, and where programs typically fail.
What configuration management means in defense programs
Configuration management in the defense context is a management discipline defined by MIL-STD-973 and its civilian equivalents (EIA-649, ISO 10007). It spans four core functions: configuration identification (what are the controlled items and their attributes?), configuration control (how are changes evaluated and approved?), configuration status accounting (what is the current approved state of each item?), and configuration verification and audit (does the product match its approved baseline?).
The scope extends well beyond source code. A defense system's configuration items (CIs) include hardware assemblies, printed circuit boards, firmware images, software executables, technical manuals, test procedures, interface control documents, and even support equipment. Each CI is formally designated with a unique identifier, an owning engineering discipline, and a documented parent-child relationship to the system-level CI tree. Changing any CI's attributes — its performance specification, its interface definition, its part number — triggers the configuration control process.
For software teams, the practical implication is that SCM is not owned solely by the software group. The defense software agile challenges that arise from concurrent hardware and software development are fundamentally a configuration management problem: when hardware CIs change their interface specifications, software CIs must be notified and updated through a formal process, not through an ad-hoc Slack message. The interface control document (ICD) is a controlled item; changes to it require an approved Engineering Change Proposal before any implementation begins.
This breadth is why defense programs maintain a dedicated Configuration Management Office (CMO) staffed by specialists, rather than assigning SCM responsibilities to a developer as a part-time duty. The CMO maintains the Configuration Management Database, prepares and chairs the CCB, tracks all open ECPs, and prepares for configuration audits. On programs smaller than 50 people the CMO may be a single person — but it must be a person, with dedicated time, not a committee with no clear owner.
Baseline types and their lifecycle
MIL-STD-973 defines three formal baseline types that mark milestones in the system development lifecycle. Each baseline is a controlled snapshot of the approved technical documentation for the system or a CI at a defined point in the program.
| Baseline | Established at | Controls | Key documents |
|---|---|---|---|
| Functional Baseline (FBL) | PDR acceptance | What the system must do | SSS, Interface Requirements Specification |
| Allocated Baseline (ABL) | CDR acceptance | Requirements allocated to each CI | Software Requirements Specification, ICDs, development spec per CI |
| Product Baseline (PBL) | Physical Configuration Audit | The as-built product ready for delivery | Build specification, Software Version Description, BOM |
Functional Baseline. The FBL is established when the government accepts the system-level functional specification at PDR. It captures what the system must do — performance, functional, and interface requirements — without specifying how. Once closed, changes to the FBL require a Class I ECP and government concurrence. Software teams discover FBL changes most painfully during Functional Configuration Audits, when requirements they were never formally notified of appear on the audit checklist.
Allocated Baseline. The ABL closes at CDR and controls how system-level requirements are distributed across CIs. Each software CI's Software Requirements Specification (SRS) traces to the ABL. If a system requirement is subsequently reapportioned — say, a timing requirement shifts from a hardware CI to a software CI — that reapportionment is a Class I change requiring CCB approval and SRS revision before the software team changes a single line of code. Programs that allow informal re-apportionment in engineering hallway conversations end up with an SRS that reflects actual implementation rather than approved requirements, which fails FCA every time.
Product Baseline. The PBL is the culmination of the development process, established after the Physical Configuration Audit confirms that the delivered product matches its documented configuration. The PBL includes the build specification (exact source version, compiler, tool chain, and build parameters needed to reproduce the deliverable), the Software Version Description, and the as-built bill of materials. Once the PBL is established, the product enters sustainment configuration control — all changes, however small, require formal ECPs through the CCB.
Change control board structure and operations
The CCB is the decision-making body that evaluates proposed changes to controlled baselines. It is not a review board or a technical advisory group — it is a formal authority with documented charter, defined membership, and binding voting rules. A CCB that operates informally, that makes decisions in ad-hoc email threads rather than formal meetings with recorded minutes, is not a CCB in the MIL-STD-973 sense and will not satisfy a government audit.
Charter. The CCB charter is a controlled document (itself managed under SCM) that defines: the CCB's authority and scope; standing membership and alternates; quorum requirements (typically a majority of voting members); voting rules for routine changes, controversial changes, and emergency procedures; the ECP submission format and required supporting information; decision timelines (e.g., routine ECPs decided within 10 business days of submission); and the escalation path when the CCB cannot reach a decision.
Composition for a mid-sized program. A CCB for a 30–100 person defense software program typically includes:
- Chair: Chief Engineer or Program Manager — tie-breaking vote, ensures adherence to charter
- Secretary: Configuration Management Officer — prepares agendas, records minutes, maintains CMDB
- Voting members: Systems Engineering lead, Software lead, Hardware lead, Test lead, ILS/Logistics representative
- Non-voting participants: ECP originator, affected subsystem leads, Cost/Schedule analyst
- Government representative: COTR or PM — required for Class I changes, may attend or provide written concurrence
Meeting cadence. Most programs run weekly CCB meetings for routine changes, with a standing agenda that includes: status of previously approved ECPs; new ECPs submitted since last meeting (brief initial review); full presentations and votes on ECPs ready for decision; and emergency change ratifications. Emergency changes are authorized out-of-band by the CCB chair (and government representative for Class I) and ratified at the next scheduled CCB meeting — the ratification record closes the emergency authorization.
Minutes and records. Draft minutes must be distributed within 48 hours of the meeting and finalized within five business days. Minutes record: attendees, quorum status, ECPs reviewed with decision and vote tallies, action items with owners and due dates, and any dissenting views on controversial decisions. Minutes are controlled documents filed in the CMDB. The CM secretary's consistency in producing and filing minutes is one of the most significant factors in how prepared a program is for a configuration audit.
Engineering change proposals: class I vs class II
An Engineering Change Proposal (ECP) is the formal vehicle for proposing, evaluating, and approving changes to a controlled baseline. Every change to a configuration-controlled item that would affect the FBL, ABL, or PBL must be documented in an ECP before implementation begins — not after.
Class I vs Class II. The distinction determines who approves the change and how much process it requires:
- Class I: Affects a formally controlled baseline, a contractual commitment, an approved interface (ICD), a safety-critical requirement, or form/fit/function of a deliverable. Requires CCB approval plus government concurrence. Implementation is blocked until approval is obtained. Typical examples: adding a new capability to the SRS, changing an ICD data field, modifying a safety requirement, deleting a test procedure from the approved test plan.
- Class II: Internal technical change that does not affect any controlled baseline, contractual deliverable, or approved interface. Approved by the contractor's internal CCB without acquirer involvement. Recorded for audit trail but not subject to government review. Typical examples: refactoring internal module structure, changing a non-interface data structure, updating internal coding standards in a style guide that is not a CDRL.
The boundary between Class I and Class II is a frequent source of disagreement. The CMP must define this boundary with worked examples. A common pitfall is engineers independently deciding their change is Class II when it is actually Class I — changing the internal data format of a message that crosses a CI boundary is a Class I change even if the external interface (the ICD) appears unchanged, because the message format is an implicit interface.
Impact assessment. Every ECP requires a structured impact assessment before it can be voted on. The assessment covers: technical risk (what can go wrong with the proposed change?); schedule impact (how many days does this add to the schedule, including test regression?); cost impact (what is the estimated labor and material cost?); safety impact (does this change affect any safety-critical function or safety case assumption?); and interface impact (which other CIs, if any, must make corresponding changes?). For Class I changes, the impact assessment is prepared jointly by the originating engineer, the cost/schedule analyst, and the systems engineer. For changes with a safety impact, the safety engineer reviews and signs the assessment before CCB submission.
The ECP lifecycle: originator drafts ECP → CM secretary assigns number and logs in CMDB → CCB reviews at meeting → CCB votes (approve / reject / defer) → government concurrence obtained for Class I → ECP status updated to 'Approved for implementation' in CMDB → engineer implements change → version control commit tagged with ECP number → test evidence linked to ECP in CMDB → ECP closed. This complete audit trail — from origination through implementation and test evidence — is what government auditors look for during FCA and PCA. See also our guide on SBOM enforcement in defense pipelines, which intersects with ECP management for software supply chain changes.
Software configuration management toolchain
The SCM toolchain for a defense program must satisfy three constraints that do not apply in commercial development: the tools must be approvable under the program's Authority to Operate (ATO); they must support the formal traceability required by MIL-STD-973 and any applicable airworthiness standard; and — for most defense programs — they must operate in an air-gapped or partially air-gapped network environment.
Version control. Git is the de facto standard across unclassified and classified defense programs. For classified programs, self-hosted Git servers (GitLab Self-Managed, Bitbucket Data Center, or Gitea) are deployed within the accredited enclave. Branch protection rules enforce review requirements; signed commits provide non-repudiation for the audit trail. Repository naming conventions and branch naming conventions should be documented in the CMP and enforced through server-side hooks. For programs with DO-178C obligations, the version control system is a Tool Qualification candidate — the TQP must cover the specific server version, configuration, and the baseline-label operation that feeds the Software Version Description. For the broader context of running CI/CD in these environments, see our article on CI/CD for air-gapped defense.
Requirements management. IBM Engineering Requirements Management DOORS (classic and Next Generation) remains the most widely used requirements tool in defense programs, particularly those governed by MIL-STD-973 and DO-178C. Jama Software and PTC Windchill Requirements are common alternatives. The requirements tool must support bi-directional traceability (requirement → test case → test result) and must generate the traceability matrix artifacts required by the SDP/SCMP as CDRLs. The tool must itself be operated under configuration control: the requirement database is a configuration item, changes to requirements in the tool are change-controlled, and the tool's output must be reproducible from a labeled baseline.
Configuration Management Database. The CMDB tracks CI status, baseline associations, ECP records, waiver/deviation records, and configuration status accounting data. In large programs, the CMDB is often IBM Engineering Lifecycle Management (ELM) or a configured Jira instance with a CM plugin. Smaller programs sometimes use a disciplined Confluence + Jira combination. Whatever the choice, the CMDB must be in the accredited boundary, must have access controls that prevent unauthorized modification of approved records, and must generate the periodic Configuration Status Accounting Report that is a CDRL on most programs.
Air-gapped SCM server setup. The self-hosted Git server and CMDB are deployed on STIG-hardened RHEL instances inside the classified enclave. No connection to public repository hosting services. Package updates to the server software follow the program's media transfer procedure. The server's TLS certificates are issued by the program's internal PKI. Backups are stored in the enclave using encrypted storage with documented recovery procedures. Access to the version control server is governed by the program's access control list, with role-based permissions separating read, write, and administration access.
Configuration audits: FCA and PCA
Configuration audits are formal reviews conducted by or with government participation to verify that a CI or system meets its specified requirements (FCA) and that the product is accurately documented (PCA). They are not optional checkpoints — they are contract milestones that gate deliveries and payments.
Functional Configuration Audit (FCA). The FCA verifies that the software CI has satisfied all of its allocated requirements. The government audit team reviews: the approved SRS (ABL document) showing every requirement; the test procedures that test each requirement; the test results showing successful execution; the traceability matrix linking requirements to tests to results; and the open discrepancy reports showing all known anomalies and their resolution status. A common audit finding is requirements with no associated test — 'orphan requirements' that engineering teams meant to test but did not formally cover. Equally common is test procedures that claim to satisfy a requirement but actually test something adjacent to it — auditors read test procedures against requirements text literally. FCA preparation requires generating the traceability matrix from the requirements tool 60+ days in advance, reviewing it for gaps, and closing or documenting those gaps before the audit.
Physical Configuration Audit (PCA). The PCA verifies that the product to be delivered or fielded exactly matches its documented configuration. The core demonstration is build reproducibility: the contractor must show that, starting from the controlled source baseline identified in the Software Version Description, they can reproduce a binary that is byte-for-byte identical to the deliverable. This requires a complete build environment specification — not just the compiler version, but every tool in the build chain, every build flag, every environment variable that influences the output. Programs that use undocumented build environment dependencies discover this problem at PCA; the fix is to maintain the build environment as a configuration-controlled container image whose exact content is part of the PBL documentation.
# Build environment specification — PBL artifact
build_environment:
base_image: rhel9.4-build:2026.06.15
compiler: gcc-13.3.1
linker: binutils-2.41
make: gnu-make-4.4.1
java: openjdk-21.0.3
maven: apache-maven-3.9.8
flags:
CFLAGS: "-O2 -fstack-protector-strong -D_FORTIFY_SOURCE=2"
LDFLAGS: "-Wl,-z,relro,-z,now"
# Baseline label (tagged in version control)
source_baseline: csci-001-v3.2.1
svd_revision: D
# Verification hash (SHA-256 of deliverable binary)
deliverable_hash: e3b4c7a1f9d25843...
PCA preparation checklist items: confirm that the version control tag matching the SVD exists and is signed; generate the bill of materials from the CMDB and compare it to the actual package set in the build environment; verify that all approved waivers and deviations are documented and signed; and confirm that the open-item list matches the SVD's known anomalies section. Any discrepancy between the CMDB record and the physical product is an audit finding that must be resolved before the PCA can close.
MIL-STD-973 and DO-178C integration
Programs that produce airborne software must satisfy both MIL-STD-973 (the defense acquisition SCM standard) and DO-178C Section 7 (Software Configuration Management for airborne software certification). The two are complementary but have distinct emphases and deliverables.
Configuration Management Plan vs Software Configuration Management Plan. MIL-STD-973 requires a system-level CMP as a CDRL. DO-178C requires a separate Software Configuration Management Plan (SCMP) as a Software Life Cycle Data item. The SCMP must describe how all Software Life Cycle Data (SLCD) is placed under configuration control, how changes are managed, how baselines are established, and how the problem reporting and change control process works. The SCMP is reviewed by the DER (Designated Engineering Representative) or the certification authority as part of the software planning review. The system-level CMP and the SCMP should be consistent and cross-referential, but they are distinct documents with distinct audiences.
CDRLs for configuration management. A typical defense program's CM-related CDRLs include:
- DI-CMAN-80858A — Configuration Management Plan: Master SCM process document
- DI-CMAN-81259 — Configuration Status Accounting Report: Periodic CI status summary
- DI-CMAN-81000 — Engineering Change Proposal: Per-change deliverable
- DI-MCCR-80013A — Software Version Description: Per-release deliverable
- DI-CMAN-81121 — Interface Control Document: Per-interface deliverable
Tool qualification for SCM tools. DO-178C and the companion standard DO-330 require that Development Tools — tools whose output becomes part of the airborne software or whose failure could introduce undetected errors — be qualified. A version control system whose labeled baseline feeds the SVD deliverable is a candidate for TD3 qualification under DO-330. Qualification evidence includes Tool Operational Requirements (TOR), a Tool Qualification Plan, test records demonstrating the tool correctly stores and retrieves exact binary content, and a Problem Report process for the tool itself. Programs discover this requirement late, after they have already selected and deployed their version control server, because the DO-178C requirement is often read as applying only to compilers and code generators. Starting the Tool Qualification Plan for the SCM tool at the same time as the SCMP — during software planning — prevents the last-minute qualification scramble that delays certification.
Problem reporting and change control. DO-178C Section 7.3 requires a documented problem reporting process for all software life cycle data under CM control. Every anomaly — not just code defects, but errors in requirements, test procedures, design documents, and analysis reports — must be entered in the problem reporting system and tracked to closure. The problem report data feeds the FCA (showing open anomalies and their disposition) and the PCA (showing that the known anomaly list in the SVD is accurate and complete). Integrating the problem reporting system with the ECP workflow ensures that problems that require a baseline change generate an ECP automatically, rather than living in a separate defect tracker that auditors cannot correlate to the controlled baseline.
Programs that invest in this integration — a requirements tool feeding traceability to a test management tool, which feeds results to a CMDB that links to the ECP workflow — have demonstrably shorter FCA and PCA cycles and fewer post-audit findings than programs that manage these records in disconnected spreadsheets. The investment is significant, but the alternative — reconstructing audit evidence under time pressure as government representatives wait — is more expensive and more damaging to program relationships.