CM-04 Impact Analyses
Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.
Baselines
- L
- M
- H
- P
Guidance
Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required.
References 1
- SP 800-128 Johnson LA, Dempsey KL, Ross RS, Gupta S, Bailey D (2011) Guide for Security-Focused Configuration Management of Information Systems. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-128, Includes updates as of October 10, 2019.
Control Enhancements 2
Related controls 12
- CA-07 Continuous Monitoring L M H P
- CM-03 Configuration Change Control L M H P
- CM-08 System Component Inventory L M H P
- CM-09 Configuration Management Plan L M H P
- MA-02 Controlled Maintenance L M H P
- RA-03 Risk Assessment L M H P
- RA-05 Vulnerability Monitoring and Scanning L M H P
- RA-08 Privacy Impact Assessments L M H P
- SA-05 System Documentation L M H P
- SA-08 Security and Privacy Engineering Principles L M H P
- SA-10 Developer Configuration Management L M H P
- SI-02 Flaw Remediation L M H P