Guidance for NIST 800-171 Assessment & Compliance

Zoom Window Out
Larger Text | Smaller Text
Hide Page Header
Show Expanding Text
Printable Version
Save Permalink URL

Navigation: CM-FAMILY: CONFIGURATION MANAGEMENT

CM-3 CONFIGURATION CHANGE CONTROL CM-3(1) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES

Scroll Prev Top Next More

Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

(O)ther than satisfactory +##

###

cm-3	configuration change control
	assessment objective: Determine if the organization:
	cm-3(a)	determines the type of changes to the information system that must be configuration-controlled;
	cm-3(b)	reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
	cm-3(c)	documents configuration change decisions associated with the information system;
	cm-3(d)	implements approved configuration-controlled changes to the information system;
	cm-3(e)	cm-3(e)[1]	defines a time period to retain records of configuration-controlled changes to the information system;
		cm-3(e)[2]	retains records of configuration-controlled changes to the information system for the organization-defined time period;
	cm-3(f)	audits and reviews activities associated with configuration-controlled changes to the information system;
	cm-3(g)	cm-3(g)[1]	defines a configuration change control element (e.g., committee, board) responsible for coordinating and providing oversight for configuration change control activities;
		cm-3(g)[2]	defines the frequency with which the configuration change control element must convene; and/or
		cm-3(g)[3]	defines configuration change conditions that prompt the configuration change control element to convene; and
		cm-3(g)[4]	coordinates and provides oversight for configuration change control activities through organization-defined configuration change control element that convenes at organization-defined frequency and/or for any organization-defined configuration change conditions.
	potential assessment methods and objects: Examine: [select from: Configuration management policy; procedures addressing information system configuration change control; configuration management plan; information system architecture and configuration documentation; security plan; change control records; information system audit records; change control audit and review reports; agenda /minutes from configuration change control oversight meetings; other relevant documents or records]. Interview: [select from: Organizational personnel with configuration change control responsibilities; organizational personnel with information security responsibilities; system/network administrators; members of change control board or similar]. Test: [select from: Organizational processes for configuration change control; automated mechanisms that implement configuration change control].

Hosted by ABCI Consultants for Information Security Management Systems | Implementations, Training and Assessments for Compliance | (800) 644-2056