CM-4: Security Impact Analysis

CSF v1.1 References:


  • Low
    • CM-4
  • Moderate
    • CM-4
  • High

Next Version:

Control Statement

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

Supplemental Guidance

Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.

Control Enhancements

CM-4(1): Separate Test Environments


  • High

The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

CM-4(2): Verification Of Security Functions


(Not part of any baseline)

The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system.