NIST SP 800-171 Rev 2 requirement 3.4.3 mandates that organizations establish and enforce a formal change control process for all modifications to hardware, firmware, software, and documentation associated with organizational systems. Every proposed change must pass through a documented workflow that includes tracking the change from initiation through closure, reviewing it against security impact and operational criteria, obtaining formal approval or disapproval from an authorized authority, and creating a permanent log entry that records what changed, when, who authorized it, and what the outcome was. This practice builds directly on the existence of a documented baseline configuration (3.4.1) and serves as the enforcement mechanism that keeps systems aligned with that baseline over time. The intent is to prevent unauthorized, untested, or malicious modifications from degrading the confidentiality, integrity, or availability of systems that process, store, or transmit Controlled Unclassified Information (CUI).
Where it stops · what it isn't
- —This practice does not establish the baseline configuration itself — that is covered by CM.L2-3.4.1
- —This practice does not govern security impact analysis procedures in depth — that is addressed by CM.L2-3.4.4
- —This practice does not require automated patch deployment tools, only that patches and updates are tracked and approved through the change process
- —This practice does not cover incident response activities that reverse unauthorized changes — that falls under Incident Response and System and Information Integrity domains
- —This practice does not define user access controls that authorize who may make changes — that is governed by Access Control domain practices
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/configuration-management