CM-3: Configuration Change Control

Statement

• a.

  Determine and document the types of changes to the system that are configuration-controlled;

• b.

  Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;

• c.

  Document configuration change decisions associated with the system;

• d.

  Implement approved configuration-controlled changes to the system;

• e.

  Retain records of configuration-controlled changes to the system for time period ;

• f.

  Monitor and review activities associated with configuration-controlled changes to the system; and

• g.

  Coordinate and provide oversight for configuration change control activities through configuration change control element that convenes cm-03_odp.03 .

• • Requirement:

    The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

  • (e) Guidance:

    In accordance with record retention policies and procedures.