1. Home
  2. FedRAMP
  3. CM-3

BRACKETOLOGY | FEDRAMP

CM-3: CONFIGURATION CHANGE CONTROL

  • FedRAMP Baseline Membership CM-3:
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Determines the types of changes to the information system that are configuration-controlled;
    • b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
    • c. Documents configuration change decisions associated with the information system;
    • d. Implements approved configuration-controlled changes to the information system;
    • e. Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];
    • f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
    • g. Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

The organization:

  • a. Determines the types of changes to the information system that are configuration-controlled;
  • b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
  • c. Documents configuration change decisions associated with the information system;
  • d. Implements approved configuration-controlled changes to the information system;
  • e. Retains records of configuration-controlled changes to the information system for organization-defined time period;
  • f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
  • g. Coordinates and provides oversight for configuration change control activities through organization-defined configuration change control element (e.g., committee, board) see additional FedRAMP requirements and guidance that convenes Selection (one or more): organization-defined frequency; defined configuration change conditions.

FedRAMP REQUIREMENT:

The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

FedRAMP GUIDANCE:

CM-3e.: In accordance with record retention policies and procedures.

The organization:

  • a. Determines the types of changes to the information system that are configuration-controlled;
  • b. Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;
  • c. Documents configuration change decisions associated with the information system;
  • d. Implements approved configuration-controlled changes to the information system;
  • e. Retains records of configuration-controlled changes to the information system for organization-defined time period;
  • f. Audits and reviews activities associated with configuration-controlled changes to the information system; and
  • g. Coordinates and provides oversight for configuration change control activities through organization-defined configuration change control element (e.g., committee, board) see additional FedRAMP requirements and guidance that convenes Selection (one or more): organization-defined frequency; defined configuration change conditions.

FedRAMP REQUIREMENT:

The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.

FedRAMP GUIDANCE:

CM-3e.: In accordance with record retention policies and procedures.

SUPPLEMENTAL GUIDANCE

Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.

RELATED CONTROLS: CM-3

CONTROL ENHANCEMENTS

CM-3 (1) CONFIGURATION CHANGE CONTROL | AUTOMATED DOCUMENT / NOTIFICATION / PROHIBITION OF CHANGES
  • FedRAMP Baseline Membership CM-3 (1):
  • HIGH

The organization employs automated mechanisms to:

    • (a) Document proposed changes to the information system;
    • (b) Notify [Assignment: organized-defined approval authorities] of proposed changes to the information system and request change approval;
    • (c) Highlight proposed changes to the information system that have not been approved or disapproved by [Assignment: organization-defined time period];
    • (d) Prohibit changes to the information system until designated approvals are received;
    • (e) Document all changes to the information system; and
    • (f) Notify [Assignment: organization-defined personnel] when approved changes to the information system are completed.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

The organization reviews and updates the baseline configuration of the information system:

  • (a) at least annually ;
  • (b) When required due to organization-defined circumstances to include when directed by the JAB; and
  • (c) As an integral part of information system component installations and upgrades.

The organization reviews and updates the baseline configuration of the information system:

  • (a) at least annually or when a significant change occurs;
  • (b) When required due to organization-defined circumstances to include when directed by the JAB; and
  • (c) As an integral part of information system component installations and upgrades.

FedRAMP GUIDANCE:

Significant change is defined in NIST Special Publication 800-37 Revision 1, Appendix F, Page F-7.


Supplemental Guidance: NONE

CM-3 (2) CONFIGURATION CHANGE CONTROL | TEST/VALIDATE/DOCUMENT CHANGES
  • FedRAMP Baseline Membership CM-3 (2):
  • HIGH

The organization tests, validates, and documents changes to the information system before implementing the changes on the operational system.

Supplemental Guidance:

Changes to information systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-6. Organizations ensure that testing does not interfere with information system operations. Individuals/groups conducting tests understand organizational security policies and procedures, information system security policies and procedures, and the specific health, safety, and environmental risks associated with particular facilities/processes. Operational systems may need to be taken off-line, or replicated to the extent feasible, before testing can be conducted. If information systems must be taken off-line for testing, the tests are scheduled to occur during planned system outages whenever possible. If testing cannot be conducted on operational systems, organizations employ compensating controls (e.g., testing on replicated systems).

CM-3 (3) CONFIGURATION CHANGE CONTROL | AUTOMATED CHANGE IMPLEMENTATION

The organization employs automated mechanisms to implement changes to the current information system baseline and deploys the updated baseline across the installed base.

Supplemental Guidance: NONE

CM-3 (4) CONFIGURATION CHANGE CONTROL | SECURITY REPRESENTATIVE
  • FedRAMP Baseline Membership CM-3 (4):
  • HIGH

The organization requires an information security representative to be a member of the [Assignment: organization-defined configuration change control element].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

The organization requires an information security representative to be a member of the configuration control board (CCB) or similar (as defined in CM-3)


Supplemental Guidance:

Information security representatives can include, for example, senior agency information security officers, information system security officers, or information system security managers. Representation by personnel with information security expertise is important because changes to information system configurations can have unintended side effects, some of which may be security-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security state of organizational information systems. The configuration change control element in this control enhancement reflects the change control elements defined by organizations in CM-3.

CM-3 (5) CONFIGURATION CHANGE CONTROL | AUTOMATED SECURITY RESPONSE

The information system implements [Assignment: organization-defined security responses] automatically if baseline configurations are changed in an unauthorized manner.

Supplemental Guidance:

Security responses include, for example, halting information system processing, halting selected system functions, or issuing alerts/notifications to organizational personnel when there is an unauthorized modification of a configuration item.

CM-3 (6) CONFIGURATION CHANGE CONTROL | CRYPTOGRAPHY MANAGEMENT
  • FedRAMP Baseline Membership CM-3 (6):
  • HIGH

The organization ensures that cryptographic mechanisms used to provide [Assignment: organization-defined security safeguards] are under configuration management.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

The organization ensures that cryptographic mechanisms used to provide all security safeguards that rely on cryptography are under configuration management.


Supplemental Guidance:

Regardless of the cryptographic means employed (e.g., public key, private key, shared secrets), organizations ensure that there are processes and procedures in place to effectively manage those means. For example, if devices use certificates as a basis for identification and authentication, there needs to be a process in place to address the expiration of those certificates.

RELATED CONTROLS: CM-3 (6)

REFERENCES:

  • NIST Special Publication 800-128