KSI-CMT-LMC—Logging Changes
Formerly KSI-CMT-01
>Control Description
>NIST 800-53 Controls
>Trust Center Components4
Ways to express your implementation of this indicator — approaches vary by organization size, complexity, and data sensitivity.
From the field: Mature implementations express change management through GitOps-tracked workflows — branch protection enforcing approval requirements, automated security checks gating merges, and change history dashboards showing commit activity, PR merge rates, and governance health metrics as first-class security indicators. The change management policy becomes an artifact of the enforcement rules, not a standalone document.
Change History Dashboard
Dashboard expressing change management posture — change volume, approval rates, rollback metrics, and governance health as live indicators
Change Policy Enforcement
Automated enforcement of change management rules — validates changes follow approved processes before deployment
Change Advisory Board Process
How changes are reviewed for security impact — including CAB process and automated triage for standard vs. emergency changes
Change Management Policy
Human-readable documentation of the organization's change management approach — the "why" behind automated enforcement
>Programmatic Queries
CLI Commands
gh api repos/{owner}/{repo}/commits --jq '.[].{sha: .sha[:7], message: .commit.message, author: .commit.author.name, date: .commit.author.date}' | head -20gh run list --limit 10 --json status,conclusion,name,createdAt>20x Assessment Focus Areas
Aligned with FedRAMP 20x Phase Two assessment methodology
Completeness & Coverage:
- •Does change logging cover all modification types — infrastructure changes, application deployments, configuration updates, IAM policy changes, and database schema changes?
- •Are there any CSO components where changes are not logged (e.g., ephemeral containers, serverless functions, third-party managed services)?
- •How do you ensure changes made via break-glass or emergency access procedures are logged with the same fidelity as normal changes?
- •When a new service or component is added to the CSO, what process ensures it is included in change logging before it goes live?
Automation & Validation:
- •What automated alerts fire when a change is detected outside normal change management processes (e.g., direct console access, manual SSH changes)?
- •How do you detect if change logging itself fails — for example, if a CloudTrail or audit log pipeline stops ingesting events?
- •What automated correlation links changes to their corresponding change tickets or deployment records, and what happens when a change has no matching ticket?
- •How do you validate that tamper protection on change logs is functioning — do you test for unauthorized deletion or modification of log entries?
Inventory & Integration:
- •What tools capture change logs across your stack (CloudTrail, Config, GitHub audit logs, Kubernetes audit logs), and how do they feed into a centralized view?
- •How does your change logging integrate with your SIEM to correlate changes with security events?
- •Are change logs from inherited or third-party services ingested into the same platform, or tracked separately?
- •How do you reconcile change logs against your deployment pipeline records to confirm every deployment was properly logged?
Continuous Evidence & Schedules:
- •How do you demonstrate that change logging has been continuous and uninterrupted over the past 90 days?
- •Is change log data queryable via API for assessors and agency reviewers, or only accessible through manual log exports?
- •How do you detect gaps in change log coverage — periods where logging was degraded or missing for specific resources?
- •What evidence shows change logs are retained for the required duration and have not been modified after the fact?
Update History
Ask AI
Configure your API key to use AI features.