SA-10(2): Alternative Configuration Management

CSF v1.1 References:

Threats Addressed:


(Not part of any baseline)

Previous Version:

Control Statement

Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.

Supplemental Guidance

Alternate configuration management processes may be required when organizations use commercial off-the-shelf information technology products. Alternate configuration management processes include organizational personnel who review and approve proposed changes to systems, system components, and system services and conduct security and privacy impact analyses prior to the implementation of changes to systems, components, or services.