CMMC Practice CM.2.065
Track, review, approve, or disapprove, and log changes to organizational systems.
Bold Coast Security Guidance
For Level 2 compliance your policy must state that a risk-based change management plan and procedures are required to perform changes to IT systems in your environment.
Change management is a core capability. The best way to begin to implement this practice is by first identifying the types of changes that take place in your environment. Once that list is compiled, each change-type must be rated as to the risk it represents. For instance, every day there may be a new DAT file that is installed on every computer to update anti-virus definitions. This is a change to software in your environment, but the risk it represents is extremely low. In contrast, performing a major software or hardware upgrade can present significant risk in the form of system disruption/downtime if the upgrade does not go as planned, or if the upgrade causes conflict in existing software and hampers a system's functionality.
Once change-types are rated according to risk, you must then determine what procedures will be mandated according to the change-types. For low-risk changes, a simple record of the change having occurred may be enough. For more significant changes, more research, planning, documentation, approvals, and testing may be required.
It is wise to form a Change Advisory Board (CAB) in your organization, no matter your size. The CAB meets regularly to review past changes, and plan for future changes. Lessons learned from past changes become part of a constant process of improvement that will have significant benefit to your organization over time. The CAB does not have to be a time intensive undertaking. Meeting weekly or monthly, the CAB becomes part of the intelligence of your organization in a practical way, and it also shows that your organization considers change to be a critical area of information security practice.
Contact your Bold Coast Security Coach for assistance in getting this critical function into practice.
DRAFT NIST SP 800-171 R2
Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control . Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes to systems. For new development systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards or Change Advisory Boards. Audit logs of changes include activities before and after changes are made to organizational systems and the activities required to implement such changes.
NIST SP 800-128 provides guidance on configuration change control.