The organization:
    a. Determines the types of changes to the information system that are configuration controlled;
    b. Approves configuration-controlled changes to the system with explicit consideration for security impact analyses;
    c. Documents approved configuration-controlled changes to the system;
    d. Retains and reviews records of configuration-controlled changes to the system;
    e. Audits activities associated with configuration-controlled changes to the system; and
    f. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection: (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].
Supplemental Guidance:
The organization determines the types of changes to the information system that are configuration controlled. Configuration change control for the information system involves the systematic proposal, justification, implementation, test/evaluation, review, and disposition of changes to the system, including upgrades and modifications. Configuration change control includes changes to components of the information system, changes to the configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers), emergency changes, and changes to remediate flaws. A typical organizational process for managing configuration changes to the information system includes, for example, a chartered Configuration Control Board that approves proposed changes to the system. Auditing of changes refers to changes in activity before and after a change is made to the information system and the auditing activities required to implement the change. Related controls: CM-4, CM-5, CM-6, SI-2.
Control Enhancements:
(1) The organization employs automated mechanisms to:
    (a) Document proposed changes to the information system;
    (b) Notify designated approval authorities;
    (c) Highlight approvals that have not been received by [Assignment: organization-defined time period];
    (d) Inhibit change until designated approvals are received; and
    (e) Document completed changes to the information system.
(2) The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.
Enchancement Supplemental Guidance:
The organization ensures that testing does not interfere with information system operations. The individual/group conducting the tests understands the organizational information security policies and procedures, the information system security policies and procedures, and the specific health, safety, and environmental risks associated with a particular facility and/or process. An operational system may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If an information system must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. In situations where the organization cannot conduct testing of an operational system, the organization employs compensating controls (e.g., providing a replicated system to conduct testing) in accordance with the general tailoring guidance.
(3) The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base.
Enchancement Supplemental Guidance:
Related controls: CM-2, CM-6.
(4) The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element (e.g., committee, board)].
Enchancement Supplemental Guidance:
Information security representatives can include, for example, information system security officers or information system security managers. The configuration change control element in this control enhancement is consistent with the change control element defined by the organization in CM-3.
NIST Special Publication 800-128.
Priority and Baseline Allocation:

P1 LOW   Not Selected MOD   CM-3 (2) HIGH   CM-3 (1) (2)

ISO/IEC 27001 Annex A Control Mapping:
A.10.1.1  Documented operating procedures
A.10.1.2  Change management
A.10.3.2  System acceptance
A.12.4.1  Control of operational software
A.12.5.1  Change control procedures
A.12.5.2  Technical review of applications after operating system changes
A.12.5.3  Restrictions on changes to software packages





















NIST Special Publication 800-53: This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States.
Attribution would, however, be appreciated by NIST.

This document was produced from an export of the database beta application released with NIST SP 800-53 REV 3.
The text is unchanged from the information contained in the database. You are free to use this material under the same terms provided by NIST.
Attribution for this arrangement of the material would be appreciated.
Tim Hudson -