CM-03 Configuration Change Control

Control: The organization authorizes, documents, and controls changes to the information system.

Supplemental Guidance: The organization manages configuration changes to the information system using an organizationally approved process (e.g., a chartered Configuration Control Board). Configuration change control involves the systematic proposal, justification, implementation, test/evaluation, review, and disposition of changes to the information system, including upgrades and modifications. Configuration change control includes changes to the configuration settings for information technology products (e.g., operating systems, firewalls, routers). The organization includes emergency changes in the configuration change control process, including changes resulting from the remediation of flaws. The approvals to implement a change to the information system include successful results from the security analysis of the change. The organization audits activities associated with configuration changes to the information system. Related security controls: CM-4, CM-6, SI-2.

Control Enhancements: (1) The organization employs automated mechanisms to: (i) document proposed changes to the information system; (ii) notify appropriate approval authorities; (iii) highlight approvals that have not been received in a timely manner; (iv) inhibit change until necessary approvals are received; and (v) document completed changes to the information system.

Baseline: LOW Not Selected MOD CM-3 HIGH CM-3 (1)

Family: Configuration Management

Class: Operational

ISO 17799 mapping: 10.1.2, 10.2.3, 12.4.1, 12.5.1, 12.5.2, 12.5.3

COBIT 4.1 mapping: AI6.1, AI6.3, DS9.2

PCI-DSS v2 mapping: 6.4