NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-3(8)Prevent or Restrict Configuration Changes

Prevent or restrict changes to the configuration of the system under the following circumstances: {{ insert: param, cm-03.08_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

System configuration changes can adversely affect critical system security and privacy functionality. Change restrictions can be enforced through automated mechanisms.

Practitioner Notes

This enhancement requires preventing or restricting certain configuration changes entirely — some settings should be locked down so no one can change them without extraordinary approval.

Example 1: Use Group Policy to lock critical security settings (like audit logging and password policies) so that local administrators cannot override them.

Example 2: In Azure, use resource locks (CanNotDelete, ReadOnly) to prevent accidental or unauthorized changes to critical infrastructure resources like network security groups.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency