SA-10(2)

Requirement

Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.

Discussion

Alternate configuration management processes may be required when organizations use commercial off-the-shelf information technology products. Alternate configuration management processes include organizational personnel who review and approve proposed changes to systems, system components, and system services and conduct security and privacy impact analyses prior to the implementation of changes to systems, components, or services.

Title

Developer Configuration Management | Alternative Configuration Management Processes
Family

System and Services Acquisition
NIST 800-53B Baseline(s)

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: System and services acquisition policy; system and services acquisition procedures; configuration management policy; configuration management plan; solicitation documentation; acquisition documentation; service level agreements; acquisition contracts for the system, system component, or system service; system developer configuration management plan; security impact analyses; privacy impact analyses; privacy impact assessment; privacy risk assessment documentation; system security plan; privacy plan; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with acquisition responsibilities; organizational personnel with information security and privacy responsibilities; organizational personnel with configuration management responsibilities; system developers].

Test

[SELECT FROM: Organizational processes for monitoring developer configuration management; mechanisms supporting and/or implementing the monitoring of developer configuration management].

ID	Assessment Objectives
SA-10(02)	an alternate configuration management process has been provided using organizational personnel in the absence of a dedicated developer configuration management team.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!