CM-3: Configuration Change Control

From NIST's SP800-53:

a. Determine and document the types of changes to the system that are configuration-controlled; b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; c. Document configuration change decisions associated with the system; d. Implement approved configuration-controlled changes to the system; e. Retain records of configuration-controlled changes to the system for [Assignment: organization-defined time period]; f. Monitor and review activities associated with configuration-controlled changes to the system; and g. Coordinate and provide oversight for configuration change control activities through [Assignment: organization-defined configuration change control element] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; when [Assignment: organization-defined configuration change conditions]].

Cyber Threat Graph Context

Explore how this control relates to the wider threat graph

SP800-53 Control Mapped to NIST Cyber Security Framework

Generated from NISTs SP800-53/CSF Crosswalk mappings.

Search:

Control ID	Description
DE.CM-7	Monitoring for unauthorized personnel, connections, devices, and software is performed
PR.IP-1	A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
PR.IP-3	Configuration change control processes are in place
DE.CM-1	The network is monitored to detect potential cybersecurity events

Showing 1 to 4 of 4 entries

MITRE ATT&CK Techniques

See which MITRE ATT&CK techniques this control helps to protect against.

Search:

ATT&CK ID	Title	Associated Tactics
T1495	Firmware Corruption	Impact
T1543.002	Systemd Service	Persistence, Privilege Escalation
T1176	Browser Extensions	Persistence
T1601.001	Patch System Image	Defense Evasion
T1553.006	Code Signing Policy Modification	Defense Evasion
T1647	Plist File Modification	Defense Evasion
T1542.001	System Firmware	Defense Evasion, Persistence
T1564.008	Email Hiding Rules	Defense Evasion
T1542.004	ROMMONkit	Defense Evasion, Persistence
T1213.002	Sharepoint	Collection
T1213.001	Confluence	Collection
T1553	Subvert Trust Controls	Defense Evasion
T1601	Modify System Image	Defense Evasion
T1059.006	Python	Execution
T1021.005	VNC	Lateral Movement
T1547.013	XDG Autostart Entries	Persistence, Privilege Escalation
T1542.005	TFTP Boot	Defense Evasion, Persistence
T1543	Create or Modify System Process	Persistence, Privilege Escalation
T1547.007	Re-opened Applications	Persistence, Privilege Escalation
T1195.003	Compromise Hardware Supply Chain	Initial Access
T1542.003	Bootkit	Defense Evasion, Persistence
T1542	Pre-OS Boot	Defense Evasion, Persistence
T1213	Data from Information Repositories	Collection
T1601.002	Downgrade System Image	Defense Evasion

Showing 1 to 24 of 24 entries