Back

Manage change requests.


CONTROL ID
00887
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a change control program., CC ID: 00886

This Control has the following implementation support Control(s):
  • Include documentation of the impact level of proposed changes in the change request., CC ID: 11942
  • Establish and maintain a change request approver list., CC ID: 06795
  • Document all change requests in change request forms., CC ID: 06794
  • Test proposed changes prior to their approval., CC ID: 00548
  • Examine all changes to ensure they correspond with the change request., CC ID: 12345
  • Approve tested change requests., CC ID: 11783


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Change management is the process of planning, scheduling, applying, distributing and tracking changes to application systems, system software (e.g. operating systems and utilities), hardware, network systems, and other IT facilities and equipment. An effective change management process helps to ensu… (4.3.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Prioritizing any changes to be made to the application and authorizing the changes (Critical components of information security 11) c.2. Bullet 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Any changes to an application system/data need to be justified by genuine business need and approvals supported by documentation and subjected to a robust change management process. The change management would involve generating a request, risk assessment, authorization from an appropriate authority… (Critical components of information security 11) c.12., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Change requests should be documented (e.g., on a change request form) and accepted only from authorised individuals and changes should be approved by an appropriate authority (Critical components of information security 20) iii. Bullet 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • identification and documentation of requests for change (Security Control: 1211; Revision: 3; Bullet 1, Australian Government Information Security Manual)
  • Effective Change Control should include the registering of proposed changes. (Attach A ¶ 2, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Effective Change Control should include the scheduling of the change. (Attach A ¶ 2, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should schedule and review the changes to verify that multiple changes being made at the same time do not interfere with each other. (Attach A ¶ 2(g), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Key components of effective change control include: registration of proposed changes; impact assessment; change scheduling; and approval of changes prior to deployment into the production environment. Change management aims to balance the need for change with the potential detrimental impact of the … (Attachment A ¶ 2, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • changes scheduled and reviewed to ensure that multiple changes made at the same time do not conflict with each other; (Attachment A ¶ 2(g), The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Change requests should be submitted to the appropriate personnel for approval. (§ 2.8.10, Australian Government ICT Security Manual (ACSI 33))
  • an asset inventory of the existing applications and ICT systems in the production environment, as well as the test and development environment, so that required changes (e.g. version updates or upgrades, systems patching, configuration changes) can be properly managed, implemented and monitored for … (Title 3 3.3.4(c) 56.d, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Criteria for the classification and prioritisation of changes and related requirements for the type and scope of tests to be carried out and permits to be obtained (Section 5.11 BEI-03 Basic requirement ¶ 1 Bullet 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Change requests for IT systems shall be accepted, documented, evaluated taking due account of potential implementation risks, prioritised and approved in an orderly way, and implemented in a coordinated and secure way. (II.7.49, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • (§ 2.2.3, § 3.3.4, OGC ITIL: Security Management)
  • The purpose of the change enablement practice is to maximize the number of successful service and product changes by ensuring that risks have been properly assessed, authorizing changes to proceed, and managing the change schedule. (5.2.4 ¶ 1, ITIL Foundation, 4 Edition)
  • How are changes to firewall and network configurations tracked and managed? (Appendix D, Build and Maintain a Secure Network Bullet 5, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Change control procedures will be followed for all changes to system components. (§ 6.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Reason for, and description of, the change. (6.5.1 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Interview responsible personnel and observe processes to verify that any requests to disable or alter anti-malware mechanisms are specifically documented and authorized by management on a case-by-case basis for a limited time period. (5.3.5.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Reason for, and description of, the change. (6.5.1 Bullet 1, Self-Assessment Questionnaire A-EP and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Reason for, and description of, the change. (6.5.1 Bullet 1, Self-Assessment Questionnaire C and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Reason for, and description of, the change. (6.5.1 Bullet 1, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Reason for, and description of, the change. (6.5.1 Bullet 1, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Prior to changes being applied to the live environment, change requests should be accepted only from authorized individuals. (CF.07.06.03a-2, The Standard of Good Practice for Information Security)
  • Prior to changes being applied to the live environment, change requests should be accepted only from authorized individuals. (CF.07.06.03a-2, The Standard of Good Practice for Information Security, 2013)
  • Changes to mobile device operating systems, patch levels, and/or applications shall be managed through the company's change management processes. (MOS-15, Cloud Controls Matrix, v3.0)
  • Policies and procedures shall be established, and supporting IT governance and service management-related business processes implemented, for managing the risks associated with applying changes to business-critical or customer (tenant) impacting (physical and virtual) application and system-system i… (CCC-05, Cloud Controls Matrix, v3.0)
  • Manage changes to endpoint operating systems, patch levels, and/or applications through the company's change management processes. (UEM-07, Cloud Controls Matrix, v4.0)
  • The Change Management process shall be followed when a specific selected risk control measure requires a change to the network. (§ 4.4.4.2 ¶ 1, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall establish a Change Management process to evaluate the events and propose changes. (§ 4.6.2 ¶ 1(b), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • Change requests shall be assessed to identify changed or new Information Security risks. (§ 6.6.3 ¶ 1(a), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • A change request shall be used for resolving problems that require a change to a Configuration Item. (§ 8.2 ¶ 4, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Documented procedures shall exist for recording, classifying, assessing, and approving change requests. (§ 9.2 ¶ 3, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Changes to services or service components shall be accomplished with a change request. (§ 9.2 ¶ 5, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • For the control of documented information, the organization shall address the following activities, as applicable — distribution, access, retrieval and use, — storage and preservation, including preservation of legibility, — control of changes, — retention and disposition, — retrieval and … (§ 7.5.3 ¶ 2, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • changes in external and internal issues that are relevant to the business continuity management system, (§ 9.3 ¶ 2 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • the purpose of the changes and their potential consequences; (§ 6.3 ¶ 2 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Modifications to software packages shall be discouraged, limited to necessary changes and all changes shall be strictly controlled. (A.14.2.4 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • In addition to implementing the control given by ISO/IEC 27002, organizations processing personal health information shall, by means of a formal and structured change control process, control changes to information processing facilities and systems that process personal health information to ensure … (§ 12.1.2 Health-specific control, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • the purpose of the changes and their potential consequences; (§ 6.3 ¶ 2 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • For software systems assigned to Class A, Class B, and Class C software safety classes, the medical device manufacturer shall create an audit trail that can be used to trace change requests, problem reports, and change request approvals. (§ 8.2.4, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • the purpose of the changes and their potential consequences; (6.3 ¶ 2(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • the purpose of the changes and their potential consequences; (§ 10.2 ¶ 3 bullet 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall prioritize requests for change and proposals for new or changed services to align with business needs and service management objectives, taking into consideration available resources. (§ 8.2.2 ¶ 4, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall plan the deployment of new or changed services and service components into the live environment. Planning shall be co-ordinated with change management and include references to the related requests for change, known errors or problems which are being closed through the release… (§ 8.5.3 ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Assessing, approving, scheduling and reviewing of new or changed services in the scope of 8.5.2 shall be managed through the change management activities in 8.5.1.3. (§ 8.5.1.2 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • changes to the SMS including new or changed policies, plans, processes, procedures, measures and knowledge; (§ 8.5.2.2 ¶ 1(e), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization and interested parties shall make decisions on the approval and priority of requests for change. Decision-making shall take into consideration the risks, business benefits, feasibility and financial impact. Decision making shall also consider potential impacts of the change on: (§ 8.5.1.3 ¶ 1, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Requests for change not being managed through 8.5.2 shall be managed through the change management activities in 8.5.1.3. (§ 8.5.1.2 ¶ 4, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Modifications to software packages should be discouraged, limited to necessary changes and all changes should be strictly controlled. (§ 14.2.4 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • The organization controls planned changes and reviews the consequences of unintended changes, and ensures that outsourced processes are identified, defined and controlled. (§ 8.1 Required activity ¶ 3, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • feedback from interested parties, including suggestions for improvement, requests for change and complaints; (§ 9.3 Guidance ¶ 4(d), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defi… (CM-3g., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; (CM-3b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defi… (CM-3g., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; (CM-3b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defi… (CM-3g., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; (CM-3b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • A process for managing system changes throughout the lifecycle of the system and its components (infrastructure, data, software and procedures) is used to support system availability and processing integrity. (CC8.1 Manages Changes Throughout the System Lifecycle, Trust Services Criteria)
  • The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. (CC8.1, Trust Services Criteria)
  • The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives. (CC8.1 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • A process for managing system changes throughout the life cycle of the system and its components (infrastructure, data, software, and procedures) is used to support system availability and processing integrity. (CC8.1 ¶ 2 Bullet 1 Manages Changes Throughout the System Life Cycle, Trust Services Criteria, (includes March 2020 updates))
  • Change management processes are initiated when deficiencies in the design or operating effectiveness of controls are identified during system operation and are monitored to meet the entity’s commitments and system requirements as they relate to [insert the principle(s) addressed by the engagement:… (CC7.3, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Are changes to the production environment subject to the Change Control Process? (§ G.2.12, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Does the operation Change Management/Change Control policy or program include request of proposed changes? (§ G.2.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Does the operation Change Management/Change Control policy or program include maintenance of Change Control logs? (§ G.2.9, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When application development is performed, are Change Control procedures required for all changes to the production environment? (§ I.2.10, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • CSR 3.5.1: A change request document must support new system components and system software products or versions and modifications to existing system software. CSR 6.3.5: Programmers must prepare changes to the detailed system specifications and the changes must be reviewed by the appropriate manage… (CSR 3.5.1, CSR 6.3.5, CSR 6.3.6, CSR 6.7.1, CSR 10.10.1(11), Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Within 30 calendar days after the end of each calendar quarter, submit to the Commission a report describing completed, ongoing, and planned material changes to its SCI systems and the security of indirect SCI systems, during the prior, current, and subsequent calendar quarters, including the dates … (§242.1003(a)(1), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • Track, review, approve, or disapprove, and log changes to organizational systems. (CM.2.065, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Track, review, approve, or disapprove, and log changes to organizational systems. (CM.2.065, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Track, review, approve, or disapprove, and log changes to organizational systems. (CM.2.065, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Track, review, approve, or disapprove, and log changes to organizational systems. (CM.2.065, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Figure 8 shows the normal flow of significant change information if the CSO has a 3PAO assessed Non-DoD Federal Agency ATO listed in the FedRAMP catalog. Since the FedRAMP JAB does not control the Agency ATO, information from the CSP may not flow from the authorizing agency to the FedRAMP PMO. To av… (Section 5.3.2.1 ¶ 6, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • The Change Control Process must include the review and approval of change requests. (ECSD-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • A medical device manufacturer shall establish and maintain procedures for changing specifications, processes, methods, or procedures. These changes shall be verified or validated before being implemented, and these activities shall be documented. All changes shall be approved in accordance with § 8… (§ 820.70(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Request that includes the reasons for the change and details of the change. (App A Objective 6:4a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Review of requests to determine viability, business practicality, and prioritization. (App A Objective 6:4b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Incorporation of appropriate segregation of duties and monitoring throughout the change management process. (App A Objective 6:3g, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Exam Tier II Obj 9.17 Assess whether controls are appropriate for the adjustment process, including authorization (e.g., signature verification and callbacks on telephone instructions) and whether the institution maintains adequate records (e.g., logs and taping of telephone calls) of individuals ma… (Exam Tier II Obj 9.17, Exam Tier II Obj 9.18, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • States that the use of a standardized change request form will help ensure that requests are clearly communicated and that approvals are properly documented. It further states that authorization documentation should be maintained for at least as long as a system is in operation in case questions ari… (CC-1.2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defin… (CM-3g. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; (CM-3b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defin… (CM-3g. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; (CM-3b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Does the change control documentation provide adequate audit trails, logs, and support for all types of software modifications? (IT - Networks Q 29, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; (CM-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration chan… (CM-3g., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; (CM-3b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration chan… (CM-3g., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; (CM-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration chan… (CM-3g., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
  • Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; (CM-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration chan… (CM-3g., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; (CM-3b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration chan… (CM-3g., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Configuration Management (CM): Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enf… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; (CM-3b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; (CM-3b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defi… (CM-3g. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defi… (CM-3g. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization should conduct periodic audits of the smart grid Information System to validate Change Management procedures and to verify an audit trail of reviews and approvals exists. (SG.AU-14 Supplemental Guidance 4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should implement a process for monitoring changes to the system. (SG.CM-4 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization coordinates and provides oversight for configuration change control activities through {organizationally documented configuration change control element (e.g., committee, board)} that convenes {organizationally documented configuration change conditions}. (CM-3g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization enforces dual authorization for implementing changes to {organizationally documented system-level information}. (CM-5(4), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to document, manage, and control the integrity of changes to {organizationally documented configuration items under configuration management}. (SA-10b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization coordinates and provides oversight for configuration change control activities through {organizationally documented configuration change control element (e.g., committee, board)} that convenes {organizationally documented frequency}. (CM-3g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to document, manage, and control the integrity of changes to {organizationally documented configuration items under configuration management}. (SA-10b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization coordinates and provides oversight for configuration change control activities through {organizationally documented configuration change control element (e.g., committee, board)} that convenes {organizationally documented configuration change conditions}. (CM-3g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization requires the developer of the information system, system component, or information system service to document, manage, and control the integrity of changes to {organizationally documented configuration items under configuration management}. (SA-10b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defi… (CM-3g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; (CM-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defi… (CM-3g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; (CM-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; (CM-3b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defi… (CM-3g., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; (CM-3b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration chan… (CM-3g., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; (CM-3b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defin… (CM-3g., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defi… (CM-3g., TX-RAMP Security Controls Baseline Level 2)
  • Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; (CM-3b., TX-RAMP Security Controls Baseline Level 2)
  • Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; (SA-10b., TX-RAMP Security Controls Baseline Level 2)