Guidance for NIST 800-171 Assessment & Compliance
CM-3(1) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES |
Scroll Prev Top Next More |
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
cm-3(1) |
configuration change control | automated document / notification / prohibition of changes |
||
|
assessment objective: Determine if the organization: |
||
cm-3(1)(a) |
employs automated mechanisms to document proposed changes to the information system; |
||
cm-3(1)(b) |
cm-3(1)(b)[1] |
defines approval authorities to be notified of proposed changes to the information system and request change approval; |
|
cm-3(1)(b)[2] |
employs automated mechanisms to notify organization-defined approval authorities of proposed changes to the information system and request change approval; |
||
cm-3(1)(c) |
cm-3(1)(c)[1] |
defines the time period within which proposed changes to the information system that have not been approved or disapproved must be highlighted; |
|
cm-3(1)(c)[2] |
employs automated mechanisms to highlight proposed changes to the information system that have not been approved or disapproved by organization-defined time period; |
||
cm-3(1)(d) |
employs automated mechanisms to prohibit changes to the information system until designated approvals are received; |
||
cm-3(1)(e) |
employs automated mechanisms to document all changes to the information system; |
||
cm-3(1)(f) |
cm-3(1)(f)[1] |
defines personnel to be notified when approved changes to the information system are completed; and |
|
cm-3(1)(f)[2] |
employs automated mechanisms to notify organization-defined personnel when approved changes to the information system are completed. |
||
potential assessment methods and objects: Examine: [select from: Configuration management policy; procedures addressing information system configuration change control; configuration management plan; information system design documentation; information system architecture and configuration documentation; automated configuration control mechanisms; information system configuration settings and associated documentation; change control records; information system audit records; change approval requests; change approvals; other relevant documents or records]. Interview: [select from: Organizational personnel with configuration change control responsibilities; organizational personnel with information security responsibilities; system/network administrators; system developers]. Test: [select from: Organizational processes for configuration change control; automated mechanisms implementing configuration change control activities]. |
|||
