CM-3(7)—Configuration Change Control | Review System Changes
IL5
IL6
>Control Description
Review changes to the system ⚙organization-defined frequency or when ⚙organization-defined circumstances to determine whether unauthorized changes have occurred.
>DoD Impact Level Requirements
No specific parameter values or requirements for this impact level.
>Discussion
Indications that warrant a review of changes to the system and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process or continuous monitoring process.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of CM-3(7) (Review System Changes)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring CM-3(7)?
- •How frequently is the CM-3(7) policy reviewed and updated, and what triggers policy changes?
- •What training or awareness programs ensure personnel understand their responsibilities related to CM-3(7)?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce CM-3(7) requirements.
- •What automated tools, systems, or technologies are deployed to implement CM-3(7)?
- •How is CM-3(7) integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce CM-3(7) requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of CM-3(7)?
- •What audit logs, records, reports, or monitoring data validate CM-3(7) compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of CM-3(7) effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate CM-3(7) compliance?
Ask AI
Configure your API key to use AI features.