💼 CM-3 Configuration Change Control

Contextual name: 💼 CM-3 Configuration Change Control
ID: /frameworks/nist-sp-800-53-r5/cm/03
Located in: 💼 CM Configuration Management

Description

a. Determine and document the types of changes to the system that are configuration-controlled; b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; c. Document configuration change decisions associated with the system; d. Implement approved configuration-controlled changes to the system; e. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period]; f. Monitor and review activities associated with configuration-controlled changes to the system; and g. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration change conditions]].

Similar

Sections
- /frameworks/aws-fsbp-v1.0.0/config/01
- /frameworks/aws-fsbp-v1.0.0/documentdb/05
- /frameworks/aws-fsbp-v1.0.0/dynamodb/06
- /frameworks/aws-fsbp-v1.0.0/elb/06
- /frameworks/aws-fsbp-v1.0.0/mq/03
- /frameworks/aws-fsbp-v1.0.0/neptune/04
- /frameworks/aws-fsbp-v1.0.0/network-firewall/09
- /frameworks/aws-fsbp-v1.0.0/network-firewall/10
- /frameworks/aws-fsbp-v1.0.0/rds/07
- /frameworks/aws-fsbp-v1.0.0/rds/08
Internal
- ID: dec-c-b9c9dbc4

Similar Sections (Take Policies From)

Section	Sub Sections	Internal Rules	Policies	Flags
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Config.1] AWS Config should be enabled and use the service-linked role for resource recording			1
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DocumentDB.5] Amazon DocumentDB clusters should have deletion protection enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [DynamoDB.6] DynamoDB tables should have deletion protection enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [ELB.6] Application, Gateway, and Network Load Balancers should have deletion protection enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [MQ.3] Amazon MQ brokers should have automatic minor version upgrade enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [Neptune.4] Neptune DB clusters should have deletion protection enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.9] Network Firewall firewalls should have deletion protection enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [NetworkFirewall.10] Network Firewall firewalls should have subnet change protection enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.7] RDS clusters should have deletion protection enabled
💼 AWS Foundational Security Best Practices v1.0.0 → 💼 [RDS.8] RDS DB instances should have deletion protection enabled

Similar Sections (Give Policies To)

Section	Sub Sections	Policies
💼 FedRAMP High Security Controls → 💼 CM-3 Configuration Change Control (M)(H)	4	21
💼 NIST CSF v2.0 → 💼 DE.CM-01: Networks and network services are monitored to find potentially adverse events		83
💼 NIST CSF v2.0 → 💼 DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events		89
💼 NIST CSF v2.0 → 💼 ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked		24

Sub Sections

Section	Sub Sections	Internal Rules	Policies	Flags
💼 CM-3(1) Configuration Change Control _ Automated Documentation, Notification, and Prohibition of Changes
💼 CM-3(2) Configuration Change Control _ Testing, Validation, and Documentation of Changes
💼 CM-3(3) Configuration Change Control _ Automated Change Implementation
💼 CM-3(4) Configuration Change Control _ Security and Privacy Representatives
💼 CM-3(5) Configuration Change Control _ Automated Security Response
💼 CM-3(6) Configuration Change Control _ Cryptography Management			4
💼 CM-3(7) Configuration Change Control _ Review System Changes
💼 CM-3(8) Configuration Change Control _ Prevent or Restrict Configuration Changes

Policies (17)

Policy	Logic Count	Flags
📝 AWS Account Config is not enabled in all regions 🟢	1	🟢 x6
📝 AWS Account Multi-Region CloudTrail is not enabled 🟢	1	🟢 x6
📝 AWS API Gateway API Access Logging in CloudWatch is not enabled 🟢	1	🟠 x1, 🟢 x5
📝 AWS CloudTrail S3 Bucket Access Logging is not enabled. 🟢	1	🟢 x6
📝 AWS S3 Bucket Server Access Logging is not enabled 🟢	1	🟢 x6
📝 AWS VPC Flow Logs are not enabled 🟢	1	🟠 x1, 🟢 x5
📝 Azure Diagnostic Setting captures Administrative, Alert, Policy, and Security categories 🟢	1	🟢 x6
📝 Azure Diagnostic Setting for Azure Key Vault is not enabled 🟢		🟢 x3
📝 Azure Network Security Group Flow Logs retention period is less than 90 days 🟢	1	🟢 x6
📝 Azure PostgreSQL Flexible Server log_checkpoints Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure PostgreSQL Flexible Server log_retention_days Parameter is less than 4 days 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server log_connections Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure PostgreSQL Single Server log_disconnections Parameter is not set to ON 🟢	1	🟢 x6
📝 Azure SQL Server Auditing is not enabled 🟢	1	🟢 x6
📝 Azure SQL Server Auditing Retention is less than 90 days 🟢	1	🟢 x6
📝 Azure Storage Blob Logging is not enabled for Read, Write, and Delete requests 🟢	1	🟢 x6
📝 Azure Storage Queue Logging is not enabled for Read, Write, and Delete requests 🟢	1	🟢 x6

Internal Rules

Rule	Policies	Flags
✉️ dec-x-0c82d775	1
✉️ dec-x-9b79d91f	1
✉️ dec-x-9c041667	1
✉️ dec-x-24bba483	1
✉️ dec-x-36ced3d1	1
✉️ dec-x-89d5ed7a	1
✉️ dec-x-611eaa35	1
✉️ dec-x-1518c16e	1
✉️ dec-x-a193b20f	1
✉️ dec-x-b2ce0ca1	1
✉️ dec-x-d75f6d86	1
✉️ dec-x-db1b7a1b	1
✉️ dec-x-e5c05d3e	1
✉️ dec-x-e0014333	2
✉️ dec-z-3f480eb5	1

Description​

Similar​

Similar Sections (Take Policies From)​

Similar Sections (Give Policies To)​

Sub Sections​

Policies (17)​

Internal Rules​