CM-3(1)—Automated Documentation, Notification, And Prohibition Of Changes
>Control Description
Enterprises should define a set of system changes that are critical to the protection of the information system and the underlying or interoperating systems and networks. These changes may be defined based on a criticality analysis (including components, processes, and functions) and where vulnerabilities exist that are not yet remediated (e.g., due to resource constraints). The change control process should also monitor for changes that may affect an existing security control to ensure that this control continues to function as required.
>Cross-Framework Mappings
Ask AI
Configure your API key to use AI features.