Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.
NIST 800-53 (r4) Supplemental Guidance:
Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems).
NIST 800-53 (r5) Discussion:
Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes. Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls.
38North Guidance:
Meets Minimum Requirement:
Once a proposed change has been approved, all changes must be tested and verified by authorized personnel in a separate environment prior to implementation in the production system. The testing performed must validate that changes will not compromise or adversely affect system inputs, information processing, message integrity, or processing outputs, where applicable. Ensure that testing is performed on all interrelated systems to determine that there was no detrimental impact following the migration, including failover and recovery. Test programs, scripts, or code must not be placed into customer environments.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Change request documentation (e.g., tickets, etc.) including evidence of testing and validation.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse