CCI-000369

The organization approves any deviations from the established configuration settings for organization-defined information system components based on organization-defined operational requirements.

Implementation Guidance

The organization being inspected/assessed manages and approves changes to the security plan documenting deviations IAW CM-3, CCI 314. The organization must maintain an audit trail of approved changes to the security plan.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the security plan and the audit trail of approved changes to ensure the deviations are approved IAW CM-3, CCI 314.

Compelling Evidence

1.) Audit trail of approved changes to configuration settings

The controls below (if any) were marked by NIST as being related to CCI-000369.