Navigate

CCI-000321

CCI-000321 Definition

The organization defines configuration change conditions that prompt the configuration change control element to convene.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

The organization being inspected/assessed defines within their CCB Charter, the configuration change conditions that prompt the configuration change control element to convene. DoD has defined the configuration change conditions as configuration change conditions determined by the CCB.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the CCB Charter to ensure the configuration change conditions that prompt the configuration change control element to convene are defined. DoD has defined the configuration change conditions as configuration change conditions determined by the CCB.

Compelling Evidence

1.) Signed and dated change control board charter

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-000321.

Control	Description
CM-3	The organization: CM-3a.: Determines the types of changes to the information system that are configuration-controlled; CM-3b.: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; CM-3c.: Documents configuration change decisions associated with the information system; CM-3d.: Implements approved configuration-controlled changes to the information system; CM-3e.: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; CM-3f.: Audits and reviews activities associated with configuration-controlled changes to the information system; and CM-3g.: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].

Control

Description

CM-3

The organization:

CM-3a.: Determines the types of changes to the information system that are configuration-controlled;

CM-3b.: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;

CM-3c.: Documents configuration change decisions associated with the information system;

CM-3d.: Implements approved configuration-controlled changes to the information system;

CM-3e.: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];

CM-3f.: Audits and reviews activities associated with configuration-controlled changes to the information system; and

CM-3g.: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].