Organizational Control: Configuration Change Control

Control ID: CM-3 Configuration Change Control Family: Configuration Management Source: NIST 800-53r4
Control: The organization:
  1. Determines the types of changes to the information system that are configuration-controlled;
  2. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
  3. Documents configuration change decisions associated with the information system;
  4. Implements approved configuration-controlled changes to the information system;
  5. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
  6. Audits and reviews activities associated with configuration-controlled changes to the information system; and
  7. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g.,
  8. committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
Supplemental Guidance:
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.

Related Controls: CA-7, CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12
Control Enhancements:
(1) Configuration Change Control | Automated Document / Notification / Prohibition Of Changes
The organization employs automated mechanisms to:
  1. Document proposed changes to the information system;
  2. Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
  3. Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
  4. Prohibit changes to the information system until designated approvals are received;
  5. Document all changes to the information system; and
  6. Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed.

Supplemental Guidance:
Related Controls: N/A

(10) Configuration Change Control | Test / Validate / Document Changes
The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.
Supplemental Guidance: Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems).
Related Controls: N/A
References: NIST Special Publication 800-128.
Mechanisms:

Protocol Implementation Conformance Statements: N/A