comp-cm-3.4.4

Analyze Security Impact of Changes (CM.L2-3.4.4)

cmmc · framework · Production-ready

Drawn fromNIST SP 800-171 Rev. 3 · CMMC Level 2 Assessment Guide·Reviewed Apr 5, 2026

How this was built ▾

Every cubelet runs through five agent passes before publishing. Each stage's output is recorded so we can trace how a claim got here.

01 · RESEARCHSource synthesisClaude Haiku
02 · WRITERSix-face draftingClaude Sonnet
03 · EDITORCoherence + clarity passClaude Sonnet
04 · QAQuality gate scoringClaude Opus
05 · PUBLISHERCatalog + graph commitClaude Haiku

This runbatch-produce-substrate

1

Face 1 of 6 · WHAT

What is Analyze Security Impact of Changes (CM.L2-3.4.4)

CM.L2-3.4.4 requires organizations to perform a security impact analysis (SIA) on proposed changes to organizational information systems before those changes are implemented. Grounded in NIST SP 800-171 Rev 2 requirement 3.4.4, this practice mandates that personnel with information security responsibilities evaluate each proposed change — including patches, configuration modifications, new software, hardware additions, or firmware updates — to identify potential security consequences. The analysis must occur prior to implementation so that risks can be mitigated, the change can be conditionally approved, or the change can be rejected before harm occurs. This practice operates within an established change control process (see CM.L2-3.4.3) and produces a documented record that the security implications of the change were considered. The goal is to prevent authorized changes from inadvertently undermining access controls, audit functions, encryption posture, or other security properties of systems that process, store, or transmit CUI.

Where it stops · what it isn't

—This practice does not cover the detection or response to unauthorized changes — that falls under system integrity monitoring (SI.L2-3.14.x) and audit and accountability controls (AU.L2-3.3.x).
—This practice does not require formal risk acceptance sign-off by a senior official, although that may be a downstream process; it requires analysis, not necessarily approval authority.
—This practice does not govern the content of the change itself — it governs the analytical step before implementation, not implementation procedures or rollback plans.
—This practice does not apply to emergency break-fix actions taken to restore availability during an active incident, though a post-implementation SIA may still be required by policy.
—This practice does not define what constitutes an acceptable or unacceptable level of security impact — that determination is left to the organization's security policies and risk tolerance.

Connected concepts in the graph

Every cubelet sits in a knowledge graph. Here's what this one connects to.

PART OF

domain/configuration-management

REQUIRES

comp-cm-3.4.3

Practice this judgment ↗

Adaptive, ~8 min

Sit in the practitioner's chair ↗

Live simulator

06 · APPLYSign up to enter the judgment simulator →

Watch your judgment grow on this concept

Create a free account to unlock all 6 faces, the judgment simulator, and a mastery score that updates with every attempt.