Navigate

CCI-000314

CCI-000314 Definition

The organization approves or disapproves configuration-controlled changes to the information system, with explicit consideration for security impact analysis.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed approves or disapproves configuration controlled changes to the information system with explicit consideration for security impact analysis. The organization must maintain an audit trail of approval/disapproval of configuration controlled changes. This action will be implemented by the CCB as defined in CM-3, CCI 1586.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the audit trail of the approval/disapproval of configuration controlled changes to ensure a security impact analysis was conducted.

Compelling Evidence

1.) Signed and dated configuration management policies

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000314.

Control	Description
CM-3	The organization: CM-3a.: Determines the types of changes to the information system that are configuration-controlled; CM-3b.: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; CM-3c.: Documents configuration change decisions associated with the information system; CM-3d.: Implements approved configuration-controlled changes to the information system; CM-3e.: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; CM-3f.: Audits and reviews activities associated with configuration-controlled changes to the information system; and CM-3g.: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].

Control

Description

CM-3

The organization:

CM-3a.: Determines the types of changes to the information system that are configuration-controlled;

CM-3b.: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;

CM-3c.: Documents configuration change decisions associated with the information system;

CM-3d.: Implements approved configuration-controlled changes to the information system;

CM-3e.: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];

CM-3f.: Audits and reviews activities associated with configuration-controlled changes to the information system; and

CM-3g.: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].