Skip to main content

💼 CM-3 Configuration Change Control

  • ID: /frameworks/nist-sp-800-53-r5/cm/03

Description

a. Determine and document the types of changes to the system that are configuration-controlled; b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; c. Document configuration change decisions associated with the system; d. Implement approved configuration-controlled changes to the system; e. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period]; f. Monitor and review activities associated with configuration-controlled changes to the system; and g. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration change conditions]].

Similar

  • Sections
    • /frameworks/aws-fsbp-v1.0.0/config/01
    • /frameworks/aws-fsbp-v1.0.0/documentdb/05
    • /frameworks/aws-fsbp-v1.0.0/dynamodb/06
    • /frameworks/aws-fsbp-v1.0.0/elb/06
    • /frameworks/aws-fsbp-v1.0.0/mq/03
    • /frameworks/aws-fsbp-v1.0.0/neptune/04
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/09
    • /frameworks/aws-fsbp-v1.0.0/network-firewall/10
    • /frameworks/aws-fsbp-v1.0.0/rds/07
    • /frameworks/aws-fsbp-v1.0.0/rds/08
  • Internal
    • ID: dec-c-b9c9dbc4

Similar Sections (Take Policies From)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Config.1] AWS Config should be enabled and use the service-linked role for resource recording1no data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DynamoDB.6] DynamoDB tables should have deletion protection enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.4] Neptune DB clusters should have deletion protection enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.7] RDS clusters should have deletion protection enabledno data
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.8] RDS DB instances should have deletion protection enabledno data

Similar Sections (Give Policies To)

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 FedRAMP High Security Controls → 💼 CM-3 Configuration Change Control (M)(H)425no data
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events120no data
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events139no data
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked30no data

Sub Sections

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
💼 CM-3(1) Configuration Change Control _ Automated Documentation, Notification, and Prohibition of Changesno data
💼 CM-3(2) Configuration Change Control _ Testing, Validation, and Documentation of Changesno data
💼 CM-3(3) Configuration Change Control _ Automated Change Implementationno data
💼 CM-3(4) Configuration Change Control _ Security and Privacy Representativesno data
💼 CM-3(5) Configuration Change Control _ Automated Security Responseno data
💼 CM-3(6) Configuration Change Control _ Cryptography Management6no data
💼 CM-3(7) Configuration Change Control _ Review System Changesno data
💼 CM-3(8) Configuration Change Control _ Prevent or Restrict Configuration Changesno data

Policies (19)

PolicyLogic CountFlagsCompliance
🛡️ AWS Account Config is not enabled in all regions🟢1🟢 x6no data
🛡️ AWS Account Multi-Region CloudTrail is not enabled🟢1🟢 x6no data
🛡️ AWS API Gateway API Access Logging in CloudWatch is not enabled🟢1🟠 x1, 🟢 x5no data
🛡️ AWS CloudFront Distribution Logging is not enabled🟢1🟢 x6no data
🛡️ AWS CloudTrail S3 Bucket Access Logging is not enabled.🟢1🟢 x6no data
🛡️ AWS EKS Cluster Logging is not enabled for all control plane logs types🟢1🟢 x6no data
🛡️ AWS S3 Bucket Server Access Logging is not enabled🟢1🟢 x6no data
🛡️ AWS VPC Flow Logs are not enabled🟢1🟠 x1, 🟢 x5no data
🛡️ Azure Diagnostic Setting captures Administrative, Alert, Policy, and Security categories🟢1🟢 x6no data
🛡️ Azure Diagnostic Setting for Azure Key Vault is not enabled🟢⚪🟢 x2, ⚪ x1no data
🛡️ Azure Network Security Group Flow Logs retention period is less than 90 days🟢1🟢 x6no data
🛡️ Azure PostgreSQL Flexible Server log_checkpoints Parameter is not set to ON🟢1🟢 x6no data
🛡️ Azure PostgreSQL Flexible Server log_retention_days Parameter is less than 4 days🟢1🟢 x6no data
🛡️ Azure PostgreSQL Single Server log_connections Parameter is not set to ON🟢1🟢 x6no data
🛡️ Azure PostgreSQL Single Server log_disconnections Parameter is not set to ON🟢1🟢 x6no data
🛡️ Azure SQL Server Auditing is not enabled🟢1🟢 x6no data
🛡️ Azure SQL Server Auditing Retention is less than 90 days🟢1🟢 x6no data
🛡️ Azure Storage Blob Logging is not enabled for Read, Write, and Delete requests🟢1🟢 x6no data
🛡️ Azure Storage Queue Logging is not enabled for Read, Write, and Delete requests🟢1🟢 x6no data

Internal Rules

RulePoliciesFlags
✉️ dec-x-0c82d7751
✉️ dec-x-8ccccedc1
✉️ dec-x-9b79d91f1
✉️ dec-x-9c0416671
✉️ dec-x-24bba4831
✉️ dec-x-36ced3d11
✉️ dec-x-89d5ed7a1
✉️ dec-x-611eaa351
✉️ dec-x-1518c16e1
✉️ dec-x-a5c2acfe1
✉️ dec-x-a193b20f1
✉️ dec-x-b2ce0ca11
✉️ dec-x-d75f6d861
✉️ dec-x-db1b7a1b1
✉️ dec-x-e5c05d3e1
✉️ dec-x-e00143332
✉️ dec-z-3ba226c71