Skip to main content

πŸ’Ό CM-3 CONFIGURATION CHANGE CONTROL

  • Contextual name: πŸ’Ό CM-3 CONFIGURATION CHANGE CONTROL
  • ID: /frameworks/nist-sp-800-53-r4/cm/03
  • Located in: πŸ’Ό CM CONFIGURATION MANAGEMENT

Description​

The organization: CM-3a. Determines the types of changes to the information system that are configuration-controlled; CM-3b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; CM-3c. Documents configuration change decisions associated with the information system; CM-3d. Implements approved configuration-controlled changes to the information system; CM-3e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; CM-3f. Audits and reviews activities associated with configuration-controlled changes to the information system; and CM-3g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].

Similar​

  • Internal
    • ID: dec-c-34b83b24

Similar Sections (Give Policies To)​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-1: The network is monitored to detect potential cybersecurity events1928
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed1923
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)414
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-3: Configuration change control processes are in place44

Sub Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό CM-3 (1) AUTOMATED DOCUMENT _ NOTIFICATION _ PROHIBITION OF CHANGES
πŸ’Ό CM-3 (2) TEST _ VALIDATE _ DOCUMENT CHANGES
πŸ’Ό CM-3 (3) AUTOMATED CHANGE IMPLEMENTATION
πŸ’Ό CM-3 (4) SECURITY REPRESENTATIVE
πŸ’Ό CM-3 (5) AUTOMATED SECURITY RESPONSE
πŸ’Ό CM-3 (6) CRYPTOGRAPHY MANAGEMENT