Detections
Analytics
800-53|CM-3
Title
CONFIGURATION CHANGE CONTROLDescription
The organization:Supplemental
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.Reference Item Details
Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations
Related: CA-7,CM-2,CM-4,CM-5,CM-6,CM-9,SA-10,SI-12,SI-2
Category: CONFIGURATION MANAGEMENT
Family: CONFIGURATION MANAGEMENT
Priority: P1
Baseline Impact: MODERATE,HIGH
Audit Items
View all Reference Audit Items