CM-3—Configuration Change Control
>Control Description
Determine and document the types of changes to the system that are configuration-controlled;
Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;
Document configuration change decisions associated with the system;
Implement approved configuration-controlled changes to the system;
Retain records of configuration-controlled changes to the system for ⚙organization-defined time period;
Monitor and review activities associated with configuration-controlled changes to the system; and
Coordinate and provide oversight for configuration change control activities through ⚙organization-defined configuration change control element that convenes [Selection (one or more): ⚙organization-defined frequency; when ⚙organization-defined configuration change conditions].
>FedRAMP Baseline Requirements
Additional Requirements and Guidance
CM-3 Requirement: The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). CM-3 (e) Guidance: In accordance with record retention policies and procedures.
>Discussion
Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes.
For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes.
See also SA-10.
>Cross-Framework Mappings
>Programmatic Queries
Related Services
CLI Commands
aws configservice get-compliance-details-by-config-rule --config-rule-name RULE_NAMEaws configservice get-resource-config-history --resource-type AWS::EC2::Instance --resource-id INSTANCE_IDaws cloudtrail lookup-events --lookup-attributes AttributeKey=ReadOnly,AttributeValue=false --max-results 20aws ssm list-documents --filters 'Key=DocumentType,Values=ChangeTemplate'>Relevant Technologies
Technology-specific guidance with authoritative sources and verification commands.
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of CM-3 (Configuration Change Control)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring CM-3?
- •How frequently is the CM-3 policy reviewed and updated, and what triggers policy changes?
- •What training or awareness programs ensure personnel understand their responsibilities related to CM-3?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce CM-3 requirements.
- •What automated tools, systems, or technologies are deployed to implement CM-3?
- •How is CM-3 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce CM-3 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of CM-3?
- •What audit logs, records, reports, or monitoring data validate CM-3 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of CM-3 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate CM-3 compliance?
Ask AI
Configure your API key to use AI features.