Navigate

CCI-000318

CCI-000318 Definition

Monitor and review activities associated with configuration-controlled changes to the system.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed audits and reviews activities associated with configuration-controlled changes to the information system. The organization must maintain an audit trail to include review activities associated with configuration-controlled changes.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the audit trail documenting the review activities associated with configuration-controlled changes to the information system to ensure the organization being inspected/assessed audits and reviews activities associated with the changes.

Compelling Evidence

1.) examples of audits and reviews activities associated with configuration controlled changes

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000318.

Control	Description
CM-3	The organization: a: Determines the types of changes to the information system that are configuration-controlled; b: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c: Documents configuration change decisions associated with the information system; d: Implements approved configuration-controlled changes to the information system; e: Retains records of configuration-controlled changes to the information system for [one of ]; f: Audits and reviews activities associated with configuration-controlled changes to the information system; and g: Coordinates and provides oversight for configuration change control activities through [one of ] that convenes [one or more of " {{ insert: param, cm-3_prm_4 }} "/" {{ insert: param, cm-3_prm_5 }} "].

Control

Description

CM-3

The organization:

a: Determines the types of changes to the information system that are configuration-controlled;

b: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;

c: Documents configuration change decisions associated with the information system;

d: Implements approved configuration-controlled changes to the information system;

e: Retains records of configuration-controlled changes to the information system for [one of ];

f: Audits and reviews activities associated with configuration-controlled changes to the information system; and

g: Coordinates and provides oversight for configuration change control activities through [one of ] that convenes [one or more of " {{ insert: param, cm-3_prm_4 }} "/" {{ insert: param, cm-3_prm_5 }} "].