home || catalog: SP800-53rev3 / class: Operational / family: (CM) Configuration Management ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM

CM-01
CM-02
CM-03
CM-04 *
CM-05
CM-06
CM-07
CM-08
CM-09

CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  CM-04: Security Impact Analysis  

base control objective:
The organization, including [Assignment: organization-defined list of personnel with information security responsibilities], analyzes changes to the information system prior to implementation and as part of the change approval process to determine potential security impacts.

supplemental objective information:
Organizational personnel with information security responsibilities, include for example, Information System Security Officers and Information System Security Managers. Individuals conducting security impact analyses have the appropriate skills and technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing information system documentation such as the security plan to understand how specific security controls are implemented within the system and how the changes might affect the controls. Security impact analysis may also include an assessment of risk to understand the impact of the changes and to determine if additional security controls are required. Security impact analysis is an important activity in the ongoing monitoring of security controls in the information system.

enhancements to the base objective:

(1) The organization analyzes new software in a separate test environment before installation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional maliciousness.

(2) The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system.
Enhancement Supplemental Guidance: Changes include information system upgrades and modifications.

mapping to FIPS199 baseline:

  LOW: null     MOD: base     HIGH: base (1)  

related (regimented) controls:

CA-02   Security Assessments
CA-07   Continuous Monitoring
CM-03   Configuration Change Control
CM-09   Configuration Management Plan
SI-02   Flaw Remediation

documents referenced in SP800-53rev3 for CM-04:

Document Date Status Title
NIST SP800-83 September, 2006 current   Guide to Malware Incident Prevention and Handling

Search SP800-53rev3 catalog: