SA-10(2): Alternative Configuration Management

Control Family:

System and Services Acquisition

Parent Control:

SA-10: Developer Configuration Management

CSF v1.1 References:

PR.DS-8
PR.IP-1
PR.IP-2
PR.IP-3

Threats Addressed:

Tampering

Baselines:

(Not part of any baseline)

Previous Version:

NIST Special Publication 800-53 Revision 4:
SA-10(2): Alternative Configuration Management Processes

Control Statement

Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.

Supplemental Guidance

Alternate configuration management processes may be required when organizations use commercial off-the-shelf information technology products. Alternate configuration management processes include organizational personnel who review and approve proposed changes to systems, system components, and system services and conduct security and privacy impact analyses prior to the implementation of changes to systems, components, or services.