Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization requires an information security representative to be a member of the [FedRAMP Assignment: (H) Configuration control board (CCB) or similar (as defined in CM-3)].
NIST 800-53 (r4) Supplemental Guidance:
Information security representatives can include, for example, senior agency information security officers, information system security officers, or information system security managers. Representation by personnel with information security expertise is important because changes to information system configurations can have unintended side effects, some of which may be security-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security state of organizational information systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3.
NIST 800-53 (r5) Discussion:
Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in CM-3g.
38North Guidance:
Meets Minimum Requirement:
A security representative must be a member of the configuration control board (CCB) or similar.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
List of CCB members
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse