NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION

SA-10(2)Alternative Configuration Management Processes

Provide an alternate configuration management process using organizational personnel in the absence of a dedicated developer configuration management team.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Alternate configuration management processes may be required when organizations use commercial off-the-shelf information technology products. Alternate configuration management processes include organizational personnel who review and approve proposed changes to systems, system components, and system services and conduct security and privacy impact analyses prior to the implementation of changes to systems, components, or services.

Practitioner Notes

When standard configuration management processes are not feasible (emergency patches, rapid prototyping), have an alternative process that still provides oversight and traceability.

Example 1: Define an emergency change process for situations where normal change management would take too long (e.g., deploying a critical security patch during an active attack). The process should include who can authorize emergency changes, what documentation is required after the fact, and a mandatory post-incident review.

Example 2: In Azure DevOps, create a separate 'hotfix' pipeline that allows expedited deployments with fewer approval gates but still requires at least one senior engineer approval and automated security scan. After the emergency, the change must be retroactively reviewed and merged into the standard release process.

More System and Services Acquisition Controls

SA-1 Policy and Procedures SA-2 Allocation of Resources SA-3 System Development Life Cycle SA-3(1) Manage Preproduction Environment