The CONFIG_PROTECT variable contains a space-delimited list of directories where Portage will not blindly copy over new versions of files, but instead treat the files as configuration files where the user should manually check if the changes are needed and valid or not. Sub-directories of the listed directories can be excluded through the CONFIG_PROTECT_MASK variable.
The variable has a sane default setting handled by the Portage installation and the users' Gentoo profile. It can be extended through the system environment (which is often used by applications that update the variable through their /etc/env.d file) and the users' /etc/portage/make.conf setting.
See also the Environment variables chapter in the Gentoo Handbook.