Name: Episode 3 Configuration Change Control (CM-3)
Uploaded: 2024-06-14 23:00:33
Duration: 10 min 15 s

Question 1

What is NIST 800-53 CM-3 Configuration Change Control?

Accepted Answer

CM-3 is the control that forces your organization to manage system changes in a structured way—proposal, review, approval/disapproval, implementation, and recordkeeping. I emphasize that you can’t push changes without explicitly considering security and privacy impact. The goal is to prevent unauthorized changes and protect the system’s integrity.

Question 2

Is CM-3 required for Low, Moderate, or High systems in NIST 800-53 Rev 5?

Accepted Answer

In Rev 5, CM-3 is selected for Moderate and High systems only. It’s not selected for Low systems. That matters because your baseline control set drives what you must implement and assess.

Question 3

What does a Change Control Board (CCB) do for CM-3?

Accepted Answer

The CCB reviews proposed changes and approves or disapproves them before they’re implemented. In my explanation, the CCB is a key mechanism to make sure changes don’t slip into production without the right stakeholders and oversight. It also supports auditability because decisions and approvals are documented.

Question 4

What are the main CM-3 requirements I need to document?

Accepted Answer

You need to define what types of changes are configuration-controlled, review them, and approve/disapprove them with security and privacy impact in mind. Then you document the decision, implement approved changes, and retain records for an organization-defined time period. You also monitor and review change control activities and coordinate oversight through an org-defined change control element.

Question 5

How do you test or assess CM-3 as a security control assessor?

Accepted Answer

I start by obtaining and examining the configuration management policy and procedures. Then I review artifacts like the SSP, configuration management plan, and change control records/tickets (ServiceNow, Jira, Azure DevOps, whatever you use). I pull sample change requests to verify approvals are present and confirm changes align with documented baseline configurations.

Question 6

What evidence should I show an auditor for configuration change control?

Accepted Answer

Show your CM policy/procedures, SSP references, CM plan, and a set of change tickets with approvals and implementation details. I also look for baseline configuration documentation so we can see whether changes deviated from what’s approved. Record retention matters too—keep the change records for your defined period (1, 2, 3, 5 years, etc.).

Question 7

How is CM-3 related to CM-4 Security Impact Analysis?

Accepted Answer

CM-3 requires you to consider security and privacy impact when approving changes, and CM-4 goes deeper into the security impact analysis piece. In the video, I call out that CM-4 is the next episode because it’s directly tied to understanding the risk a change might introduce. If you skip impact analysis, you’re missing the essence of controlled change.

Episode 3 Configuration Change Control (CM-3)

🛍️ Products Mentioned (4)

Official NIST publications, standards, and guidance

Official KamilSec branded designs and apparel

PayPal

*Patreon & Channel Support*******

About This Video

Frequently Asked Questions

🎬 More from KamilSec