BRACKETOLOGY | FEDRAMP

CM-4: SECURITY IMPACT ANALYSIS

FedRAMP Baseline Membership CM-4:
LOW
MODERATE
HIGH

How Do I Use This Page for FedRAMP Cloud Security

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

SUPPLEMENTAL GUIDANCE

Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems.

RELATED CONTROLS: CM-4

CA-2 — SECURITY ASSESSMENT AND AUTHORIZATION | SECURITY ASSESSMENTS/a>

CONTROL ENHANCEMENTS

CM-4 (1) SECURITY IMPACT ANALYSIS | SEPARATE TEST ENVIRONMENTS

FedRAMP Baseline Membership CM-4 (1):
HIGH

The organization analyzes changes to the information system in a separate test environment before implementation in an operational environment, looking for security impacts due to flaws, weaknesses, incompatibility, or intentional malice.

Supplemental Guidance:

Separate test environment in this context means an environment that is physically or logically isolated and distinct from the operational environment. The separation is sufficient to ensure that activities in the test environment do not impact activities in the operational environment, and information in the operational environment is not inadvertently transmitted to the test environment. Separate environments can be achieved by physical or logical means. If physically separate test environments are not used, organizations determine the strength of mechanism required when implementing logical separation (e.g., separation achieved through virtual machines).

RELATED CONTROLS: CM-4 (1)

CM-4 (2) SECURITY IMPACT ANALYSIS | VERIFICATION OF SECURITY FUNCTIONS

The organization, after the information system is changed, checks the security functions to verify that the functions are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security requirements for the system.

Supplemental Guidance:

Implementation is this context refers to installing changed code in the operational information system.

RELATED CONTROLS: CM-4 (2)

SA-11 — SYSTEM AND SERVICES ACQUISITION | DEVELOPER SECURITY TESTING AND EVALUATION

REFERENCES:

NIST Special Publication 800-128