CMMC Practice CM.L2-3.4.3

Track, review, approve, or disapprove, and log changes to organizational systems.

Bold Coast Security Guidance

Change management is a core capability. The best way to begin to implement this practice is by first identifying the types of changes that take place in your environment. Once that list is compiled, each change-type must be rated as to the risk it represents. For instance, every day there may be a new DAT file that is installed on every computer to update anti-virus definitions. This is a change to software in your environment, but the risk it represents is extremely low. In contrast, performing a major software or hardware upgrade can present significant risk in the form of system disruption/downtime if the upgrade does not go as planned, or if the upgrade causes conflict in existing software and hampers a system's functionality. It is wise to form a Change Advisory Board (CAB) in your organization, no matter your size. The CAB meets regularly to review past changes, and plan for future changes. Lessons learned from past changes become part of a constant process of improvement that will have significant benefit to your organization over time. The CAB does not have to be a time intensive undertaking. Meeting weekly or monthly, the CAB becomes part of the intelligence of your organization in a practical way, and it also shows that your organization considers change to be a critical area of information security practice. If your Managed Service Provider (MSP) provides most of the changes in your environment, be sure your organization remains informed of the changes, and all the changes are logged by your MSP.

Discussion From Source

DRAFT NIST SP 800-171 R2 Tracking, reviewing, approving/disapproving, and logging changes is called configuration change control . Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled and unauthorized changes, and changes to remediate vulnerabilities. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes to systems. For new development systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards or Change Advisory Boards. Audit logs of changes include activities before and after changes are made to organizational systems and the activities required to implement such changes. NIST SP 800-128 provides guidance on configuration change control.