Navigate

CCI-003926

CCI-003926 Definition

Defines the frequency for reviewing changes to the system.

Status
Type	CheckType.policy

Master Assessment Datasheet

Implementation Guidance

Determine if changes to the system are reviewed [CM-03(07)_ODP[01]; the frequency at which changes are to be reviewed is defined] or when [CM-03(07)_ODP[02]; the circumstances under which changes are to be reviewed are defined] to determine whether unauthorized changes have occurred.

Validation Procedures

Examine: [SELECT FROM: Configuration management policy; procedures addressing system configuration change control; configuration management plan; change control records; system architecture and configuration documentation; system configuration settings and associated documentation; system audit records; system component inventory; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with configuration change control responsibilities; organizational personnel with security responsibilities; system/network administrators; members of change control board or similar]. Test: [SELECT FROM: Organizational processes for configuration change control; mechanisms implementing audit records for changes].

Related Controls

The controls below (if any) were marked by NIST as being related to CCI-003926.

Control	Description
CM-3(7)	Review changes to the system [the frequency at which changes are to be reviewed is defined;] or when [the circumstances under which changes are to be reviewed are defined;] to determine whether unauthorized changes have occurred.