CMMC 2.0 • LEVEL 2 • CONFIGURATION MANAGEMENT

CM.L2-3.4.3Configuration Change Control

Define the types of changes to the system that are configuration-controlled. Review proposed configuration-controlled changes to the system, and approve or disapprove such changes with explicit consideration for security impacts. Implement and document approved configuration-controlled changes to the system. Monitor and review activities associated with configuration-controlled changes to the system.

NIST 800-171 Mapping

NIST 800-53 Controls

CM-3

Assessment Objectives

  • the types of changes to the system that are configuration-controlled are defined.
  • proposed configuration-controlled changes to the system are reviewed with explicit consideration for security impacts.
  • proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security impacts.
  • activities associated with configuration-controlled changes to the system are monitored.
  • activities associated with configuration-controlled changes to the system are reviewed.
  • approved configuration-controlled changes to the system are implemented.
  • approved configuration-controlled changes to the system are documented.

Practitioner Notes

Practitioner commentary coming soon.

Related CMMC 2.0 Practices

CM.L1-3.4.1 Baseline Configuration CM.L1-3.4.2 Configuration Settings CM.L2-3.4.4 Impact Analyses CM.L2-3.4.5 Access Restrictions for Change