CMMC v2.11 Practices

CM.L2-3.4.3  

Reference: CMMC v2.11

Family: CM

Level Introduced: 2

Title: System Change Management

Practice:
Track, review, approve, or disapprove, and log changes to organizational systems.

Further Discussion:
You must track, review, and approve configuration changes before committing to production. Changes to computing environments can create unintended and unforeseen issues that can affect the security and availability of the systems, including those that process CUI. Relevant experts and stakeholders must review and approve proposed changes. They should discuss potential impacts before the organization puts the changes in place. Relevant items include changes to the physical environment and to the systems hosted within it.

Example
Once a month, the management and technical team leads join a change control board meeting. During this meeting, everyone reviews all proposed changes to the environment [b,c]. This includes changes to the physical and computing environments. The meeting ensures that relevant subject-matter experts review changes and propose alternatives where needed.

Potential Assessment Considerations
• Are changes to the system authorized by company management and documented [a,b,c,d]?
• Are changes documented and tracked (e.g., manually written down or included in a tracking service such as a ticketing system) [d]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11