💼 CM-3 CONFIGURATION CHANGE CONTROL
- ID:
/frameworks/nist-sp-800-53-r4/cm/03
Stats​
not available
Description​
The organization: CM-3a. Determines the types of changes to the information system that are configuration-controlled; CM-3b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; CM-3c. Documents configuration change decisions associated with the information system; CM-3d. Implements approved configuration-controlled changes to the information system; CM-3e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; CM-3f. Audits and reviews activities associated with configuration-controlled changes to the information system; and CM-3g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
Similar​
- Internal
- ID:
dec-c-34b83b24
- ID:
Similar Sections (Give Policies To)​
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 NIST CSF v1.1 → 💼 DE.CM-1: The network is monitored to detect potential cybersecurity events | 19 | 63 | no data | ||
| 💼 NIST CSF v1.1 → 💼 DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed | 19 | 24 | no data | ||
| 💼 NIST CSF v1.1 → 💼 PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) | 4 | 26 | no data | ||
| 💼 NIST CSF v1.1 → 💼 PR.IP-3: Configuration change control processes are in place | 5 | 5 | no data |
Sub Sections​
| Section | Sub Sections | Internal Rules | Policies | Flags | Compliance |
|---|---|---|---|---|---|
| 💼 CM-3 (1) AUTOMATED DOCUMENT _ NOTIFICATION _ PROHIBITION OF CHANGES | no data | ||||
| 💼 CM-3 (2) TEST _ VALIDATE _ DOCUMENT CHANGES | no data | ||||
| 💼 CM-3 (3) AUTOMATED CHANGE IMPLEMENTATION | no data | ||||
| 💼 CM-3 (4) SECURITY REPRESENTATIVE | no data | ||||
| 💼 CM-3 (5) AUTOMATED SECURITY RESPONSE | no data | ||||
| 💼 CM-3 (6) CRYPTOGRAPHY MANAGEMENT | 1 | 1 | no data |