Doc:NIST SP 800-53r3 Appendix F/CM-3
CM-3 CONFIGURATION CHANGE CONTROL
- Control: The organization:
- a. Determines the types of changes to the information system that are configuration controlled;
- b. Approves configuration-controlled changes to the system with explicit consideration for security impact analyses;
- c. Documents approved configuration-controlled changes to the system;
- d. Retains and reviews records of configuration-controlled changes to the system;
- e. Audits activities associated with configuration-controlled changes to the system; and
- f. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection: (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions.
- Supplemental Guidance: The organization determines the types of changes to the information system that are configuration controlled. Configuration change control for the information system involves the systematic proposal, justification, implementation, test/evaluation, review, and disposition of changes to the system, including upgrades and modifications. Configuration change control includes changes to components of the information system, changes to the configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers), emergency changes, and changes to remediate flaws. A typical organizational process for managing configuration changes to the information system includes, for example, a chartered Configuration Control Board that approves proposed changes to the system. Auditing of changes refers to changes in activity before and after a change is made to the information system and the auditing activities required to implement the change. Related controls: CM-4, CM-5, CM-6, SI-2.
- Control Enhancements: