CM-3: Configuration Change Control
Control Family:
Threats Addressed:
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- CM-3: Configuration Change Control
Control Statement
- Determine and document the types of changes to the system that are configuration-controlled;
- Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;
- Document configuration change decisions associated with the system;
- Implement approved configuration-controlled changes to the system;
- Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period];
- Monitor and review activities associated with configuration-controlled changes to the system; and
- Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Assignment (one or more): [Assignment: organization-defined frequency] , when [Assignment: organization-defined configuration change conditions] ].
Supplemental Guidance
Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10.
Control Enhancements
CM-3(1): Automated Documentation, Notification, and Prohibition of Changes
Baseline(s):
- High
Use [Assignment: organization-defined automated mechanisms] to: Document proposed changes to the system; Notify [Assignment: organization-defined approval authorities] of proposed changes to the system and request change approval; Highlight proposed changes to the system that have not been approved or disapproved within [Assignment: organization-defined time period]; Prohibit changes to the system until designated approvals are received;…
CM-3(2): Testing, Validation, and Documentation of Changes
Baseline(s):
- Moderate
- High
Test, validate, and document changes to the system before finalizing the implementation of the changes.
CM-3(3): Automated Change Implementation
Baseline(s):
Implement changes to the current system baseline and deploy the updated baseline across the installed base using [Assignment: organization-defined automated mechanisms].
CM-3(4): Security and Privacy Representatives
Baseline(s):
- Moderate
- High
Require [Assignment: organization-defined security and privacy representatives] to be members of the [Assignment: organization-defined configuration change control element].
CM-3(5): Automated Security Response
Baseline(s):
Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: [Assignment: organization-defined security responses].
CM-3(6): Cryptography Management
Baseline(s):
- High
Ensure that cryptographic mechanisms used to provide the following controls are under configuration management: [Assignment: organization-defined controls].
CM-3(7): Review System Changes
Baseline(s):
Review changes to the system [Assignment: organization-defined frequency] or when [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.
CM-3(8): Prevent or Restrict Configuration Changes
Baseline(s):
Prevent or restrict changes to the configuration of the system under the following circumstances: [Assignment: organization-defined circumstances].