ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked

Info icon.

Subcategory is new to this version of the framework and incorporates the following item from the previous version: PR.IP-3: Configuration change control processes are in place.


[ Note: Subcategories do not have detailed descriptions. However NIST has provided the following implementation examples.]

Implementation Examples

Ex1: Implement and follow procedures for the formal documentation, review, testing, and approval of proposed changes and requested exceptions

Ex2: Document the possible risks of making or not making each proposed change, and provide guidance on rolling back changes

Ex3: Document the risks related to each requested exception and the plan for responding to those risks

Ex4: Periodically review risks that were accepted based upon planned future actions or milestones