Skip to main content

πŸ’Ό CM-3 Configuration Change Control (M)(H)

  • Contextual name: πŸ’Ό CM-3 Configuration Change Control (M)(H)
  • ID: /frameworks/fedramp-moderate-security-controls/cm/03
  • Located in: πŸ’Ό Configuration Management

Description​

a. Determine and document the types of changes to the system that are configuration-controlled;

b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;

c. Document configuration change decisions associated with the system;

d. Implement approved configuration-controlled changes to the system;

e. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period];

f. Monitor and review activities associated with configuration-controlled changes to the system; and

g. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one-or-more): organization-defined frequency]; when [Assignment: organization-defined configuration change conditions]].

CM-3 Additional FedRAMP Requirements and Guidance:

(e) Guidance: In accordance with record retention policies and procedures.

Requirement: The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

Similar​

  • Sections
    • /frameworks/fedramp-high-security-controls/cm/03
  • Internal
    • ID: dec-c-fcecd5c4

Similar Sections (Take Policies From)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-3 Configuration Change Control (M)(H)421

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CM-3(2) Testing, Validation, and Documentation of Changes (M)(H)
πŸ’Ό CM-3(4) Security and Privacy Representatives (M)(H)

Policies (17)​

PolicyLogic CountFlags
πŸ“ AWS Account Config is not enabled in all regions 🟒1🟒 x6
πŸ“ AWS Account Multi-Region CloudTrail is not enabled 🟒1🟒 x6
πŸ“ AWS API Gateway API Access Logging in CloudWatch is not enabled 🟒1🟠 x1, 🟒 x5
πŸ“ AWS CloudTrail S3 Bucket Access Logging is not enabled. 🟒1🟒 x6
πŸ“ AWS S3 Bucket Server Access Logging is not enabled 🟒1🟒 x6
πŸ“ AWS VPC Flow Logs are not enabled 🟒1🟠 x1, 🟒 x5
πŸ“ Azure Diagnostic Setting captures Administrative, Alert, Policy, and Security categories 🟒1🟒 x6
πŸ“ Azure Diagnostic Setting for Azure Key Vault is not enabled 🟒🟒 x3
πŸ“ Azure Network Security Group Flow Logs retention period is less than 90 days 🟒1🟒 x6
πŸ“ Azure PostgreSQL Flexible Server log_checkpoints Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure PostgreSQL Flexible Server log_retention_days Parameter is less than 4 days 🟒1🟒 x6
πŸ“ Azure PostgreSQL Single Server log_connections Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure PostgreSQL Single Server log_disconnections Parameter is not set to ON 🟒1🟒 x6
πŸ“ Azure SQL Server Auditing is not enabled 🟒1🟒 x6
πŸ“ Azure SQL Server Auditing Retention is less than 90 days 🟒1🟒 x6
πŸ“ Azure Storage Blob Logging is not enabled for Read, Write, and Delete requests 🟒1🟒 x6
πŸ“ Azure Storage Queue Logging is not enabled for Read, Write, and Delete requests 🟒1🟒 x6