NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-3(7)Review System Changes

Review changes to the system {{ insert: param, cm-03.07_odp.01 }} or when {{ insert: param, cm-03.07_odp.02 }} to determine whether unauthorized changes have occurred.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Indications that warrant a review of changes to the system and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process or continuous monitoring process.

Practitioner Notes

This enhancement was incorporated into SI-7. It previously required reviewing system changes after implementation to verify they were applied correctly.

Example 1: After deploying a change, run a SCAP compliance scan to verify the system still meets its security baseline and no unintended changes occurred.

Example 2: Conduct post-implementation reviews at your CCB meeting to confirm changes were deployed as approved and no unexpected issues were introduced.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency