This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization reviews information system changes [FedRAMP Assignment: (H) at least every thirty (30) days] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.
NIST 800-53 (r4) Supplemental Guidance:
Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process. Related controls: AU-6, AU-7, CM-3, CM-5, PE-6, PE-8.
NIST 800-53 (r5) Discussion:
Withdrawn: Incorporated into CM-3(7).
38North Guidance:
Meets Minimum Requirement:
At least every thirty (30) days, review for unauthorized changes to the system. Review ongoing tickets for closure.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
Evidence of the CCB meeting for a sample of weeks (ex. Meeting minutes, recurring meeting invite, agenda, etc.)
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD