>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.4.3Configuration Management - Derived

Derived Requirement

>Control Description

Track, review, approve or disapprove, and log changes to organizational systems.

>Discussion

Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control. Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities.

Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes to systems. For new development systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards or Change Advisory Boards. Audit logs of changes include activities before and after changes are made to organizational systems and the activities required to implement such changes. [SP 800-128] provides guidance on configuration change control.

>Cross-Framework Mappings

CMMC

CM.L2-3.4.3
Compare

SCF

CHG-01
Compare
CHG-02
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern tracking, reviewing, and approving configuration changes?
  • What change management process controls configuration changes?
  • Who has authority to approve different types of configuration changes?
  • How are emergency configuration changes handled?
  • What procedures ensure configuration changes are documented?

Technical Implementation:

  • What configuration management systems track changes?
  • How do you detect unauthorized configuration changes?
  • What version control systems manage configuration baselines?
  • What automated tools enforce change approval workflows?
  • How are configuration changes audited and logged?

Evidence & Documentation:

  • Can you provide configuration change approval records?
  • What change management tickets show configuration changes?
  • Can you demonstrate change tracking and approval workflows?
  • What audit logs track configuration modifications?
  • What reports verify configuration change control compliance?

Ask AI

Configure your API key to use AI features.