CM-3(5)—Configuration Change Control | Automated Security Response

IL5

IL6

>Control Description

Implement the following security responses automatically if baseline configurations are changed in an unauthorized manner: ⚙organization-defined security responses.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Automated security responses include halting selected system functions, halting system processing, and issuing alerts or notifications to organizational personnel when there is an unauthorized modification of a configuration item.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What formal policies and procedures govern the implementation of CM-3(5) (Automated Security Response)?
•Who are the designated roles responsible for implementing, maintaining, and monitoring CM-3(5)?
•How frequently is the CM-3(5) policy reviewed and updated, and what triggers policy changes?
•What training or awareness programs ensure personnel understand their responsibilities related to CM-3(5)?

Technical Implementation:

•Describe the specific technical mechanisms or controls used to enforce CM-3(5) requirements.
•What automated tools, systems, or technologies are deployed to implement CM-3(5)?
•How is CM-3(5) integrated into your system architecture and overall security posture?
•What configuration settings, parameters, or technical specifications enforce CM-3(5) requirements?

Evidence & Documentation:

•What documentation demonstrates the complete implementation of CM-3(5)?
•What audit logs, records, reports, or monitoring data validate CM-3(5) compliance?
•Can you provide evidence of periodic reviews, assessments, or testing of CM-3(5) effectiveness?
•What artifacts would you present during a FedRAMP assessment to demonstrate CM-3(5) compliance?

Ask AI

Configure your API key to use AI features.