The usual advice is:
- bring up a new server that contains (in masterfiles) a copy of your site policy
- change your process for initializing new hosts to use the new server
- rebootstrap your existing hosts to the new server
This was provided by a friend who is extensively involved with
CFEngine, great stuff I couldn't seem to google so easily before.