Navigate

CM-4(2)

CM-4(2): Verification of Controls

After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.

Supplemental

Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls.

CIA Levels
Confidentiality	unknown
Integrity	moderate
Availability	unknown

Overlays
CMMC, DAF Baseline, Int-A, Int-B, Int-C, Privacy (high), Privacy (moderate)

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to CM-4(2).

Control	Description
SA-11	Require the developer of the system, system component, or system service, at all post-design stages of the system development life cycle, to: a: Develop and implement a plan for ongoing security and privacy control assessments; b: Perform [one or more of "unit"/"integration"/"system"/"regression"] testing/evaluation [frequency at which to conduct {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;] at [depth and coverage of {{ insert: param, sa-11_odp.01 }} testing/evaluation is defined;]; c: Produce evidence of the execution of the assessment plan and the results of the testing and evaluation; d: Implement a verifiable flaw remediation process; and e: Correct flaws identified during testing and evaluation.
SC-3	Isolate security functions from nonsecurity functions.
SI-6	a: Verify the correct operation of [one of ]; b: Perform the verification of the functions specified in SI-6a [one or more of "{{ insert: param, si-06_odp.04 }} "/"upon command by user with appropriate privilege"/"{{ insert: param, si-06_odp.05 }} "]; c: Alert [personnel or roles to be alerted of failed security and privacy verification tests is/are defined;] to failed security and privacy verification tests; and d: [one or more of "shut the system down"/"restart the system"/"{{ insert: param, si-06_odp.08 }} "] when anomalies are discovered.

Enhancements

The controls below (if any) add on to the requirements of CM-4(2).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-4(2).

CCI	Definition
CCI-000335	After system changes, verify that the impacted controls are implemented correctly, meeting the security requirements for the system.
CCI-000336	After system changes, verify that the impacted controls are operating as intended, meeting the security requirements for the system.
CCI-000337	After system changes, verify that the impacted controls are producing the desired outcome with regard to meeting the security requirements for the system.
CCI-003932	After system changes, verify that the impacted controls are implemented correctly, meeting the privacy requirements for the system.
CCI-003933	After system changes, verify that the impacted controls are operating as intended, meeting the privacy requirements for the system.
CCI-003934	After system changes, verify that the impacted controls are producing the desired outcome with regard to meeting the privacy requirements for the system.