CM-5(2): Review System Changes

CSF v1.1 References:

Threats Addressed:

Baselines:

  • High
Warning icon.

Control is withdrawn in the next version of this control set and incorporated into: CM-3(7): Review System Changes.

Control Statement

The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.

Supplemental Guidance

Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process.