CCI-000332

Require an organization-defined security representative to be a member of the organization-defined configuration change control element.

Implementation Guidance

Determine if: - [CM-03(04)_ODP[01]; security representatives required to be members of the change control element are defined] are required to be members of the [CM-03(04)_ODP[03]; the configuration change control element of which the security and privacy representatives are to be members is defined]. - [CM-03(04)_ODP[02]; privacy representatives required to be members of the change control element are defined] are required to be members of the [CM-03(04)_ODP[03]; the configuration change control element of which the security and privacy representatives are to be members is defined].

Validation Procedures

Examine: [SELECT FROM: Configuration management policy; procedures addressing system configuration change control; configuration management plan; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities; organizational personnel with information security and privacy responsibilities; members of change control board or similar]. Test: [SELECT FROM: Organizational processes for configuration change control].

The controls below (if any) were marked by NIST as being related to CCI-000332.