CM-3: Configuration Change Control
From NIST's SP800-53:
a. Determine and document the types of changes to the system that are configuration-controlled; b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; c. Document configuration change decisions associated with the system; d. Implement approved configuration-controlled changes to the system; e. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period]; f. Monitor and review activities associated with configuration-controlled changes to the system; and g. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration change conditions]].
Cyber Threat Graph Context
Explore how this control relates to the wider threat graph
SP800-53 Control Mapped to NIST Cyber Security Framework
Generated from NISTs SP800-53/CSF Crosswalk mappings.
| Control ID | Description |
|---|---|
| DE.CM-7 | Monitoring for unauthorized personnel, connections, devices, and software is performed |
| PR.IP-1 | A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) |
| PR.IP-3 | Configuration change control processes are in place |
| DE.CM-1 | The network is monitored to detect potential cybersecurity events |
MITRE ATT&CK Techniques
See which MITRE ATT&CK techniques this control helps to protect against.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1495 | Firmware Corruption | Impact |
| T1543.002 | Systemd Service | Persistence, Privilege Escalation |
| T1176 | Browser Extensions | Persistence |
| T1601.001 | Patch System Image | Defense Evasion |
| T1553.006 | Code Signing Policy Modification | Defense Evasion |
| T1647 | Plist File Modification | Defense Evasion |
| T1542.001 | System Firmware | Defense Evasion, Persistence |
| T1564.008 | Email Hiding Rules | Defense Evasion |
| T1542.004 | ROMMONkit | Defense Evasion, Persistence |
| T1213.002 | Sharepoint | Collection |
| T1213.001 | Confluence | Collection |
| T1553 | Subvert Trust Controls | Defense Evasion |
| T1601 | Modify System Image | Defense Evasion |
| T1059.006 | Python | Execution |
| T1021.005 | VNC | Lateral Movement |
| T1547.013 | XDG Autostart Entries | Persistence, Privilege Escalation |
| T1542.005 | TFTP Boot | Defense Evasion, Persistence |
| T1543 | Create or Modify System Process | Persistence, Privilege Escalation |
| T1547.007 | Re-opened Applications | Persistence, Privilege Escalation |
| T1195.003 | Compromise Hardware Supply Chain | Initial Access |
| T1542.003 | Bootkit | Defense Evasion, Persistence |
| T1542 | Pre-OS Boot | Defense Evasion, Persistence |
| T1213 | Data from Information Repositories | Collection |
| T1601.002 | Downgrade System Image | Defense Evasion |