Navigate

CCI-000318

CCI-000318 Definition

The organization audits and reviews activities associated with configuration-controlled changes to the system.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed audits and reviews activities associated with configuration-controlled changes to the information system. The organization must maintain an audit trail to include review activities associated with configuration-controlled changes.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the audit trail documenting the review activities associated with configuration-controlled changes to the information system to ensure the organization being inspected/assessed audits and reviews activities associated with the changes.

Compelling Evidence

1.) examples of audits and reviews activities associated with configuration controlled changes

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000318.

Control	Description
CM-3	The organization: CM-3a.: Determines the types of changes to the information system that are configuration-controlled; CM-3b.: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; CM-3c.: Documents configuration change decisions associated with the information system; CM-3d.: Implements approved configuration-controlled changes to the information system; CM-3e.: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; CM-3f.: Audits and reviews activities associated with configuration-controlled changes to the information system; and CM-3g.: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].

Control

Description

CM-3

The organization:

CM-3a.: Determines the types of changes to the information system that are configuration-controlled;

CM-3b.: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;

CM-3c.: Documents configuration change decisions associated with the information system;

CM-3d.: Implements approved configuration-controlled changes to the information system;

CM-3e.: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];

CM-3f.: Audits and reviews activities associated with configuration-controlled changes to the information system; and

CM-3g.: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].