CCI-000349

The organization reviews information system changes per organization-defined frequency to determine whether unauthorized changes have occurred.

Implementation Guidance

The organization being inspected/assessed documents in the configuration management policy and implements a process to review information system changes every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems to determine whether unauthorized changes have occurred. The organization must maintain this review as an audit trail. DoD has defined the frequency as every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the documented process for information system change review as well as the audit trail of reviews to ensure the organization being inspected/assessed reviews IS changes every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems to determine whether unauthorized changes have occurred. DoD has defined the frequency as every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems.

Compelling Evidence

1.) Signed and dated Configuration management policy, which documents a process to review information system changes every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems to determine whether unauthorized changes have occurred 2.) Audit trail of reviews

The controls below (if any) were marked by NIST as being related to CCI-000349.