NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-3(1)Automated Documentation, Notification, and Prohibition of Changes

Use {{ insert: param, cm-03.01_odp.01 }} to: Document proposed changes to the system; Notify {{ insert: param, cm-03.01_odp.02 }} of proposed changes to the system and request change approval; Highlight proposed changes to the system that have not been approved or disapproved within {{ insert: param, cm-03.01_odp.03 }}; Prohibit changes to the system until designated approvals are received; Document all changes to the system; and Notify {{ insert: param, cm-03.01_odp.04 }} when approved changes to the system are completed.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

None.

Practitioner Notes

This enhancement requires automated tools to document changes, notify stakeholders, and prevent unauthorized changes — taking the human error out of change management.

Example 1: Configure ServiceNow to automatically send email notifications to the security team and CCB members when change requests are submitted, approved, or implemented.

Example 2: Use Azure Policy or AWS Config Rules to automatically block changes that violate your security baseline and log all attempted modifications.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency