Navigate

CCI-003912

CCI-003912 Definition

Approve or disapprove configuration-controlled changes to the system, with explicit consideration for privacy impact analyses.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if: - proposed configuration-controlled changes to the system are reviewed. - proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security and privacy impact analyses.

Validation Procedures

Examine: [SELECT FROM: Configuration management policy; procedures addressing system configuration change control; configuration management plan; system architecture and configuration documentation; change control records; system audit records; change control audit and review reports; agenda/minutes/documentation from configuration change control oversight meetings; system security plan; privacy plan; privacy impact assessments; system of records notices; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities; organizational personnel with information security and privacy responsibilities; system/network administrators; members of change control board or similar]. Test: [SELECT FROM: Organizational processes for configuration change control; mechanisms that implement configuration change control].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003912.

Control	Description
CM-3	a: Determine and document the types of changes to the system that are configuration-controlled; b: Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; c: Document configuration change decisions associated with the system; d: Implement approved configuration-controlled changes to the system; e: Retain records of configuration-controlled changes to the system for [the time period to retain records of configuration-controlled changes is defined;]; f: Monitor and review activities associated with configuration-controlled changes to the system; and g: Coordinate and provide oversight for configuration change control activities through [the configuration change control element responsible for coordinating and overseeing change control activities is defined;] that convenes [one or more of "{{ insert: param, cm-03_odp.04 }} "/"when {{ insert: param, cm-03_odp.05 }} "].

Control

Description

CM-3

a: Determine and document the types of changes to the system that are configuration-controlled;

b: Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;

c: Document configuration change decisions associated with the system;

d: Implement approved configuration-controlled changes to the system;

e: Retain records of configuration-controlled changes to the system for [the time period to retain records of configuration-controlled changes is defined;];

f: Monitor and review activities associated with configuration-controlled changes to the system; and

g: Coordinate and provide oversight for configuration change control activities through [the configuration change control element responsible for coordinating and overseeing change control activities is defined;] that convenes [one or more of "{{ insert: param, cm-03_odp.04 }} "/"when {{ insert: param, cm-03_odp.05 }} "].