CM-03: Configuration Change Control
base control objective:
a. Approves changes to the information system with explicit consideration for security impact analyses;
b. Documents approved configuration-managed changes to the system;
c. Retains and reviews records of configuration-managed changes to the system;
d. Audits activities associated with configuration-managed changes to the system; and
e. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Assignment: organization-defined frequency].
supplemental objective information:
Configuration change control for the information system involves the systematic proposal, justification, implementation, test/evaluation, review, and disposition of changes to the system, including upgrades and modifications. Configuration change control includes changes to components of the information system, changes to the configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers), emergency changes, and changes to remediate flaws. A typical organizational process for managing configuration changes to the information system includes, for example, a chartered Configuration Control Board that approves proposed changes to the system. Auditing of changes refers to changes in activity before and after a change is made to the information system and the auditing activities required to implement the change.
enhancements to the base objective:
(1) The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify designated approval authorities;
(c) Highlight approvals that have not been received by [Assignment: organization-defined time period];
(d) Inhibit change until designated approvals are received; and
(e) Document completed changes to the information system.
(2) The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.
Enhancement Supplemental Guidance: The organization ensures that testing does not interfere with information system operations. The individual/group conducting the tests understands the organizational information security policies and procedures, the information system security policies and procedures, and the specific health, safety, and environmental risks associated with a particular facility and/or process. A production information system may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If an information system must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. In situations where the organization cannot, for operational reasons, conduct live testing of a production system, the organization employs compensating controls (e.g., providing a replicated system to conduct testing) in accordance with the general tailoring guidance.
(3) The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base.
(4) The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element (e.g., committee, board)].
Enhancement Supplemental Guidance: Information security representatives can include, for example, information system security officers or information system security managers. The configuration change control element in this control enhancement is consistent with the change control element defined by the organization in CM-3.
mapping to FIPS199 baseline:
MOD: base (2)
HIGH: base (1) (2)
related (regimented) controls:
Security Impact Analysis|
Access Restrictions for Change|
documents referenced in SP800-53rev3 for CM-03: