Security Requirements for 03.04.03 Configuration Change Control

Configuration change control refers to tracking, reviewing, approving or disapproving, and logging changes to the system. Specifically, it involves the systematic proposal, justification, implementation, testing, review, and disposition of changes to the system, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for system components (e.g., operating systems, applications, firewalls, routers, mobile devices) and configuration items of the system, changes to configuration settings, unscheduled and unauthorized changes, and changes to remediate vulnerabilities. This requirement is related to 03.04.04.

View CPRT 03.04.03
  1. 03.04.03.a

    Define the types of changes to the system that are configuration-controlled.

  1. 03.04.03.b

    Review proposed configuration-controlled changes to the system, and approve or disapprove such changes with explicit consideration for security impacts.

  1. 03.04.03.c

    Implement and document approved configuration-controlled changes to the system.

  1. 03.04.03.d

    Monitor and review activities associated with configuration-controlled changes to the system.