STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← All Controls

CM-3

Configuration ManagementRev 5organization

Configuration Change Control

Baselines:ModerateHigh

Control Statement

a. Determine and document the types of changes to the system that are configuration-controlled; b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; c. Document configuration change decisions associated with the system; d. Implement approved configuration-controlled changes to the system; e. Retain records of configuration-controlled changes to the system for [Assignment: time period]; f. Monitor and review activities associated with configuration-controlled changes to the system; and g. Coordinate and provide oversight for configuration change control activities through [Assignment: configuration change control element] that convenes [Selection: organization-defined value].

Supplemental Guidance

Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also [SA-10](#sa-10).

Related Controls (23)

CA-7CM-2CM-4CM-5CM-6CM-9CM-11IA-3MA-2PE-16PT-6RA-8SA-8SA-10SC-28SC-34SC-37SI-2SI-3SI-4SI-7

CCI Identifiers (15)

CCI-000314Approve or disapprove configuration-controlled changes to the system, with explicit consideration for security impact analyses.CCI-000315The organization documents approved configuration-controlled changes to the system.CCI-000316Retain records of configuration-controlled changes to the system for an organization-defined time period.CCI-000317The organization reviews records of configuration-controlled changes to the system.CCI-000318Monitor and review activities associated with configuration-controlled changes to the system.CCI-001586Defines the configuration change control element responsible for coordinating and providing oversight for configuration change control activities.CCI-000319Coordinate and provides oversight for configuration change control activities through an organization-defined configuration change control element that convenes at the organization-defined frequency, and/or for any organization-defined configuration change conditions.CCI-000320Defines the frequency with which to convene the configuration change control element.

Linked STIG Checks (13)

Across 5 STIGs. Click to expand.

SI-10
SR-11
CCI-000321Defines configuration change conditions that prompt the configuration change control element to convene.
CCI-003912Approve or disapprove configuration-controlled changes to the system, with explicit consideration for privacy impact analyses.
CCI-000313Determine and document the types of changes to the system that are configuration-controlled.
CCI-002056Defines the time period the records of configuration-controlled changes are to be retained.
CCI-001740Review proposed configuration-controlled changes to the system.
CCI-001741Document configuration change decisions associated with the system.
CCI-001819Implement approved configuration-controlled changes to the system.