This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization employs automated mechanisms to:
(a) Document proposed changes to the information system;
(b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
(c) Highlight proposed changes to the information system that have not been approved or disapproved by [FedRAMP Assignment: (H) organization agreed upon time period];
(d) Prohibit changes to the information system until designated approvals are received;
(e) Document all changes to the information system; and
(f) Notify [FedRAMP Assignment: (H) organization defined configuration management approval authorities] when approved changes to the information system are completed.
NIST 800-53 (r4) Supplemental Guidance:
None
NIST 800-53 (r5) Discussion:
None
38North Guidance:
Meets Minimum Requirement:
Employ automated mechanisms (e.g., tooling such as Jira, ServiceNow, etc.) to:
document, track, audit, prohibit, and approve/disapprove proposed changes from testing to production deployment; and
notify approval authorities of proposed changes, requests for change approvals, and upon completion.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Evidence showing where and how configuration baseline(s) are stored (e.g., GitHub, Bitbucket, etc.)
Change request documentation (e.g., tickets, etc.) including the following details:
security impact analysis
approval or disapproval
implementation/deployment
Notifications (e.g., Slack, email, etc.) to approval authorities of proposed changes, requests for change approvals, and upon completion
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD