CM-3(7): Review System Changes

Control Family:

Configuration Management

Parent Control:

CM-3: Configuration Change Control

CSF v1.1 References:

PR.IP-1
PR.IP-3
DE.CM-1
DE.CM-7

Threats Addressed:

Tampering

Baselines:

(Not part of any baseline)

Control is new to this version of the control set and incorporates the following control from the previous version: CM-5(2): Review System Changes.

Control Statement

Review changes to the system [Assignment: organization-defined frequency] or when [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.

Supplemental Guidance

Indications that warrant a review of changes to the system and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process or continuous monitoring process.

Control Statement

Supplemental Guidance

Related Controls

NIST Special Publication 800-53 Revision 5