myctrl.tools
Compare

CM-3(2)Testing, Validation, And Documentation Of Changes

MODERATE
HIGH

>Control Description

Test, validate, and document changes to the system before finalizing the implementation of the changes.

>Cross-Framework Mappings

SCF

CHG-02.2
Compare
CHG-06
Compare

>Programmatic Queries

Beta

Related Services

AWS CodePipeline
AWS CodeBuild

CLI Commands

Create CodePipeline with change validation stages
aws codepipeline create-pipeline --cli-input-json file://pipeline.json --region us-east-1
Start CodeBuild project for change validation
aws codebuild batch-get-builds --ids build-123456 --region us-east-1
Get pipeline execution history with change details
aws codepipeline list-pipeline-executions --pipeline-name my-change-pipeline --region us-east-1
Put manual approval action for change documentation
aws codepipeline put-approval-result --pipeline-name my-change-pipeline --stage-name Approval --action-name ManualApproval --result summary="Change tested and documented",status="Approved" --region us-east-1
Open AWS ConsoleDocumentation

>Supplemental Guidance

Changes to systems include modifications to hardware, software, or firmware components and configuration settings defined in CM-06. Organizations ensure that testing does not interfere with system operations that support organizational mission and business functions. Individuals or groups conducting tests understand security and privacy policies and procedures, system security and privacy policies and procedures, and the health, safety, and environmental risks associated with specific facilities or processes.

Operational systems may need to be taken offline, or replicated to the extent feasible, before testing can be conducted. If systems must be taken offline for testing, the tests are scheduled to occur during planned system outages whenever possible. If the testing cannot be conducted on operational systems, organizations employ compensating controls.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CM-3(2) (Testing, Validation, And Documentation Of Changes)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CM-3(2)?
  • How frequently is the CM-3(2) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CM-3(2)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CM-3(2) requirements.
  • What automated tools, systems, or technologies are deployed to implement CM-3(2)?
  • How is CM-3(2) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CM-3(2) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CM-3(2)?
  • What audit logs, records, reports, or monitoring data validate CM-3(2) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CM-3(2) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CM-3(2) compliance?

Ask AI

Configure your API key to use AI features.