KSI-CMT-RVP—Reviewing Change Procedures
Formerly KSI-CMT-04
>Control Description
>NIST 800-53 Controls
>Trust Center Components3
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express rollback capability through deployment metrics — success rates, rollback frequency, and mean time to recovery as dashboard indicators. Automated rollback triggers fire on health check failures, and every rollback is logged with decision criteria, creating an immutable audit trail of operational recovery.
Deployment Success Metrics
Dashboard expressing deployment health — success rates, rollback frequency, and mean time to recovery as live indicators of operational maturity
Rollback and Recovery Procedures
How failed changes are detected and reverted — including automated rollback triggers and decision criteria
Change Failure Impact Analysis
Historical analysis of change failures and lessons learned
>Programmatic Queries
CLI Commands
gh api repos/{owner}/{repo}/branches/main/protection --jq '{required_reviews: .required_pull_request_reviews.required_approving_review_count, status_checks: .required_status_checks.contexts, enforce_admins: .enforce_admins.enabled}'gh pr list --state merged --limit 20 --json number,title,mergedAt,author>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Do your change management procedures cover all change types — infrastructure, application, configuration, emergency, and third-party changes — or are there gaps?
- •How do you ensure change management procedures address changes made by automated systems (CI/CD pipelines, auto-scaling) in addition to human-initiated changes?
- •Are emergency and break-glass change procedures reviewed with the same rigor as standard change procedures?
- •When procedure non-compliance is identified, how do you determine whether it represents a systemic gap versus an isolated failure?
Automation & Validation:
- •What automated enforcement prevents changes from bypassing required approval gates (code review, CAB approval, security scan)?
- •How do you automatically measure change success rates, rollback frequency, and change-related incidents to assess procedure effectiveness?
- •What happens when automated procedure enforcement is overridden or bypassed — is the override logged and flagged for review?
- •How do you test that procedure enforcement controls actually block non-compliant changes rather than just logging them?
Inventory & Integration:
- •How does your change management platform (ServiceNow, Jira, GitHub) enforce procedure compliance through workflow automation?
- •What tools correlate change records with deployment logs, incident tickets, and rollback events to measure procedure effectiveness?
- •Are change management metrics integrated into a dashboard accessible to leadership, or do they require manual compilation?
- •How do you ensure procedure changes themselves go through a controlled review and approval process?
Continuous Evidence & Schedules:
- •How frequently are change management procedures reviewed for effectiveness, and what evidence proves each review occurred on schedule?
- •What metrics trending over time demonstrate that procedure improvements are actually reducing change-related incidents?
- •Is change compliance data (approval rates, cycle times, bypass counts) available via API for continuous monitoring?
- •How do you demonstrate that procedure reviews result in concrete, implemented changes rather than just documented recommendations?
Update History
Ask AI
Configure your API key to use AI features.