This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Determines the types of changes to the information system that are configuration-controlled;
b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
c. Documents configuration change decisions associated with the information system;
d. Implements approved configuration-controlled changes to the information system;
e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
g. Coordinates and provides oversight for configuration change control activities through [FedRAMP Assignment: (M)(H) see additional FedRAMP requirements and guidance] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
CM-3 Additional FedRAMP Requirements and Guidance: The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.
CM-3 (e) Additional FedRAMP Requirements and Guidance: In accordance with record retention policies and procedures.
NIST 800-53 (r4) Supplemental Guidance:
Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes. Related controls: CM-2, CM-4, CM-5, CM-6, CM-9, SA-10, SI-2, SI-12.
References: NIST Special Publication 800-128.
NIST 800-53 (r5) Discussion:
Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also SA-10.
38North Guidance:
Meets Minimum Requirement:
Determine the type of changes to the information system that must be configuration-controlled. All changes to the in-boundary environment (including supporting process) must be configuration-controlled. The change management process must also address emergency changes.
Review proposed configuration-controlled changes to the information system. Approve or disapprove such changes with explicit consideration for security impact analyses. Each change request review must be done by clearly identified roles and responsibilities. For each change request, impact and risk analysis of the change request must be documented.
Document configuration change decisions associated with the information system.
Implement only approved configuration-controlled changes to the information system.
Define and implement a time period to retain records of configuration-controlled changes to the information system in accordance with CSP-defined record retention policies and procedures.
All change documentation is audited and reviewed to ensure the change request policies/procedures are being followed.
Define a configuration change control element (e.g., committee, change approval board) responsible for coordinating and providing oversight for configuration change control activities. Define the frequency with which the configuration change control element must convene. Define configuration change conditions that prompt the configuration change control element to convene. Coordinate and provide oversight for configuration change control activities through organization-defined configuration change control element that convenes at organization-defined frequency and/or for any organization-defined configuration change conditions.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
System generated list of production configuration changes (including software and firmware updates/patches, firewall/router/switch configuration changes, etc.). System generated list of application changes (software development).
Change request documentation (e.g., tickets, etc.) including the following details:
evidence of testing
security impact analysis
approval or disapproval
implementation/deployment
Change documentation/tickets dating back to the time retention period.
Records of change documentation audits and reviews.
Agenda/minutes from configuration change control oversight meetings.
Example release notes provided to customers (e.g., electronic bulletin board, web status page).
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD