CM.2.066

Control Acronym

CM

Family

Configuration Management

CMMC Level

2

800-171 Control #

3.4.4

CMMC Description

Analyze the security impact of changes prior to implementation.

CMMC Clarification

You should analyze the potential security impact of changes before implementing them. Changes to complex environments can cause unforeseen problems to systems and environments. You should perform an analysis that focuses on the security impact of changes. This can uncover potential problems before you implement the change. By doing so, you can help mitigate unforeseen problems. Example Someone requests major changes to the system and environment. You must complete a process with several steps before you can put the change in place. You document a detailed plan which includes the security impact of the change. A SME who did not submit the change reviews the plan. That SME tries to identify security-related issues that the change may cause. Then, they document or correct the potential issues. Also, they submit the updated change plan to your organization’s change control board.

800-171 Description

Analyze the security impact of changes prior to implementation.

800-171 Discussion

Organizational personnel with information security responsibilities (e.g., system administrators, system security officers, system security managers, and systems security engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications. Security impact analysis may include reviewing security plans to understand security requirements and reviewing system design documentation to understand the implementation of controls and how specific changes might affect the controls. Security impact analyses may also include risk assessments to better understand the impact of the changes and to determine if additional controls are required. [SP 800-128] provides guidance on configuration change control and security impact analysis.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 CM-4

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.4.4

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.IP-3

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

CM.2.066.[a] the security impact of changes to the system is analyzed prior to implementation.

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15