NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-4(2)Verification of Controls

After system changes, verify that the impacted controls are implemented correctly, operating as intended, and producing the desired outcome with regard to meeting the security and privacy requirements for the system.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Implementation in this context refers to installing changed code in the operational system that may have an impact on security or privacy controls.

Practitioner Notes

This enhancement requires you to verify that security controls still work after making changes — not just assume they do.

Example 1: After applying a Windows patch, run a STIG compliance scan to verify that security controls like audit logging, account lockout, and encryption are still properly configured.

Example 2: After firewall rule changes, run an Nmap scan to confirm that only the intended ports are open and previously blocked ports remain closed.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency