CM-3(7): Review System Changes
(Not part of any baseline)
Control is new to this version of the control set and incorporates the following control from the previous version: CM-5(2): Review System Changes.
Review changes to the system [Assignment: organization-defined frequency] or when [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.
Indications that warrant a review of changes to the system and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process or continuous monitoring process.