03.04.03: Configuration Change Control

Control Familly: Configuration Management

SPRS: N/A

Top Ten Failed Requirement: N/A

Supporting Publications:

SP 800-124 [28]
SP 800-128 [41]

Referenced in: N/A

Control Type: N/A

CPCSC Level 2: 03.04.03

CMMC Level(s): N/A

Derived From: NIST SP 800-53r5

CM-03

a. Define the types of changes to the system that are configuration-controlled.

b. Review proposed configuration-controlled changes to the system, and approve or disapprove such changes with explicit consideration for security impacts.

c. Implement and document approved configuration-controlled changes to the system.

d. Monitor and review activities associated with configuration-controlled changes to the system.

Discussion:

Configuration change control refers to tracking, reviewing, approving or disapproving, and logging changes to the system. Specifically, it involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the system, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for system components (e.g., operating systems, applications, firewalls, routers, mobile devices) and configuration items of the system, changes to configuration settings, unscheduled and unauthorized changes, and changes to remediate vulnerabilities. This requirement is related to 03.04.04.

Assessment Methods and Objectives

Examine [SELECT FROM: configuration management policy and procedures; procedures for system configuration change control; configuration management plan; system architecture; configuration settings; change control records; system audit records; change control audit and review reports; agenda, minutes, and documentation from configuration change control oversight meetings; system security plan; other relevant documents or records]

Interview [SELECT FROM: personnel with configuration change control responsibilities; personnel with information security responsibilities; members of change control board or similar; system administrators]

Test [SELECT FROM: processes for configuration change control; mechanisms that implement configuration change control]

NIST SP 800-171A r3 Determining Statements Determine if:

A.03.04.03.a: the types of changes to the system that are configuration-controlled are defined.

A.03.04.03.b[01]: proposed configuration-controlled changes to the system are reviewed with explicit consideration for security impacts.

A.03.04.03.b[02]: proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security impacts.

A.03.04.03.c[01]: approved configuration-controlled changes to the system are implemented. A.03.04.03.c[02]: approved configuration-controlled changes to the system are documented.

A.03.04.03.d[01]: activities associated with configuration-controlled changes to the system are monitored.

A.03.04.03.d[02]: activities associated with configuration-controlled changes to the system are reviewed.

The Security Requirements

3.1. Access Control

3.2. Awareness and Training

3.3. Audit and Accountability

3.4. Configuration Management