CM-4 (1) Impact Analysis | Separate Test Environments (H)

This page is classified as INTERNAL.

NIST 800-53 (r4) Control:

The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

NIST 800-53 (r4) Supplemental Guidance:

Separate test environment in this context means an environment that is physically or logically isolated and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not used, organizations determine the strength of mechanism required when implementing logical separation (e.g., separation achieved through virtual machines). Related controls: SA-11, SC-3, SC-7.

NIST 800-53 (r5) Discussion:

A separate test environment requires an environment that is physically or logically separate and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment and that information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not implemented, organizations determine the strength of mechanism required when implementing logical separation.

38North Guidance:

Meets Minimum Requirement:

Once a proposed change has been approved, all changes must be tested and verified by authorized personnel in a separate test environment prior to implementation in the production system. Analyze for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

Best Practice:

Unofficial FedRAMP Guidance:

Assessment Evidence:

Change request documentation (e.g., tickets, etc.) including evidence of security impact testing

CSP Implementation Tips:

Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD

Page updated

Report abuse