3.4.3

Discussion

Configuration change control refers to tracking, reviewing, approving or disapproving, and logging changes to the system. Specifically, it involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the system, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for system components (e.g., operating systems, applications, firewalls, routers, mobile devices) and configuration items of the system, changes to configuration settings, unscheduled and unauthorized changes, and changes to remediate vulnerabilities. This requirement is related to 03.04.04.

NIST 800-171A r3 Assessment Guidance

Examine

[SELECT FROM: configuration management policy and procedures; procedures for system configuration change control; configuration management plan; system architecture; configuration settings; change control records; system audit records; change control audit and review reports; agenda, minutes, and documentation from configuration change control oversight meetings; system security plan; other relevant documents or records]
Interview

[SELECT FROM: processes for configuration change control; mechanisms that implement configuration change control]
Test

[SELECT FROM: personnel with configuration change control responsibilities; personnel with information security responsibilities; members of change control board or similar; system administrators]

ID	Assessment Objectives
A.03.04.03.a	the types of changes to the system that are configuration-controlled are defined.
A.03.04.03.b[01]	proposed configuration-controlled changes to the system are reviewed with explicit consideration for security impacts.
A.03.04.03.b[02]	proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security impacts.
A.03.04.03.c[01]	approved configuration-controlled changes to the system are implemented.
A.03.04.03.c[02]	approved configuration-controlled changes to the system are documented.
A.03.04.03.d[01]	activities associated with configuration-controlled changes to the system are monitored.
A.03.04.03.d[02]	activities associated with configuration-controlled changes to the system are reviewed.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!