CM-03 Configuration Change Control

Baselines

Guidance

Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10.

References 3

• SP 800-124 Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1.
• SP 800-128 Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019.
• IR 8062 Brooks S, Garcia M, Lefkovitz N, Lightman S, Nadeau E (2017) An Introduction to Privacy Engineering and Risk Management in Federal Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8062.

Control Enhancements 8

• CM-03(01) Automated Documentation, Notification, and Prohibition of Changes L M H P
• CM-03(02) Testing, Validation, and Documentation of Changes L M H P
• CM-03(03) Automated Change Implementation L M H P
• CM-03(04) Security and Privacy Representatives L M H P
• CM-03(05) Automated Security Response L M H P
• CM-03(06) Cryptography Management L M H P
• CM-03(07) Review System Changes L M H P
• CM-03(08) Prevent or Restrict Configuration Changes L M H P

Related controls 23

• CA-07 Continuous Monitoring L M H P
• CM-02 Baseline Configuration L M H P
• CM-04 Impact Analyses L M H P
• CM-05 Access Restrictions for Change L M H P
• CM-06 Configuration Settings L M H P
• CM-09 Configuration Management Plan L M H P
• CM-11 User-installed Software L M H P
• IA-03 Device Identification and Authentication L M H P
• MA-02 Controlled Maintenance L M H P
• PE-16 Delivery and Removal L M H P
• PT-06 System of Records Notice L M H P
• RA-08 Privacy Impact Assessments L M H P
• SA-08 Security and Privacy Engineering Principles L M H P
• SA-10 Developer Configuration Management L M H P
• SC-28 Protection of Information at Rest L M H P
• SC-34 Non-modifiable Executable Programs L M H P
• SC-37 Out-of-band Channels L M H P
• SI-02 Flaw Remediation L M H P
• SI-03 Malicious Code Protection L M H P
• SI-04 System Monitoring L M H P
• SI-07 Software, Firmware, and Information Integrity L M H P
• SI-10 Information Input Validation L M H P
• SR-11 Component Authenticity L M H P