N
|
controlCM-3

Configuration Change Control (CM-3)

Determine and document the types of changes to the system that are configuration-controlled; Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; Document configuration change decisions associated with the system; Implement approved configuration-controlled changes to the system; Retain records of configuration-controlled changes to the system for [organization-defined]; Monitor

Security Baselines

MODERATEHIGHLOW
configurationbaselineschange-control

Why These Connect

Baselined In2

This control is included in the linked security baseline (LOW, MODERATE, or HIGH).

Supports31

These related controls work together — a change to one may affect the others.

Enhances8

These enhancements add specific capabilities or refinements to the base control.

Related Controls(26)

AU-2Event Logging (AU-2)
LMH
CA-7Continuous Monitoring (CA-7)
LMH
CM-2Baseline Configuration (CM-2)
LMH
CM-4Impact Analyses (CM-4)
LMH
CM-5Access Restrictions for Change (CM-5)
LMH
CM-6Configuration Settings (CM-6)
LMH
CM-9Configuration Management Plan (CM-9)
MH
CM-11User-installed Software (CM-11)
LMH
IA-3Device Identification and Authentication (IA-3)
MH
MA-2Controlled Maintenance (MA-2)
LMH
PE-16Delivery and Removal (PE-16)
LMH
PT-6System of Records Notice (PT-6)RA-8Privacy Impact Assessments (RA-8)SA-8Security and Privacy Engineering Principles (SA-8)
LMH
SA-10Developer Configuration Management (SA-10)
MH
SC-28Protection of Information at Rest (SC-28)
MH
SC-34Non-modifiable Executable Programs (SC-34)SC-37Out-of-band Channels (SC-37)SI-2Flaw Remediation (SI-2)
LMH
SI-3Malicious Code Protection (SI-3)
LMH
SI-4System Monitoring (SI-4)
LMH
SI-7Software, Firmware, and Information Integrity (SI-7)
MH
SI-10Information Input Validation (SI-10)
MH
SR-11Component Authenticity (SR-11)
LMH
PM-31Continuous Monitoring Strategy (PM-31)SC-12Cryptographic Key Establishment and Management (SC-12)
LMH

Control Enhancements(8)

CM-3(1)Automated Documentation, Notification, and Prohibition of Changes (CM-3(1))
H
CM-3(2)Testing, Validation, and Documentation of Changes (CM-3(2))
MH
CM-3(3)Automated Change Implementation (CM-3(3))
CM-3(4)Security and Privacy Representatives (CM-3(4))
MH
CM-3(5)Automated Security Response (CM-3(5))
CM-3(6)Cryptography Management (CM-3(6))
H
CM-3(7)Review System Changes (CM-3(7))
CM-3(8)Prevent or Restrict Configuration Changes (CM-3(8))

See Also

@SP 800-53 OverviewCompare Baselines