CM-3 Configuration Change Control
Control: Document and control changes to the system. Appropriate organizational officials approve system changes in accordance with organizational policies and procedures.
Illustrative Controls and TIBCO LogLogic Solution
Managing changes addresses how an organization modifies system functionality to help the business meet its FISMA requirements. Deficiencies in this area might significantly impact reporting. For example, changes to the programs that allocate payment data require appropriate approvals and testing before the change to ensure classification and reporting integrity. Businesses must ensure that requests for program changes, system changes, and maintenance (including changes to system software) are standardized, documented, and subject to formal change management procedures.
To satisfy this requirement, administrators must review all changes to the production environment and compare the changes to documented approvals to ensure the approval process is followed. From the archived audit log data, obtain a sample of regular and emergency changes made to applications or systems to determine whether they were adequately tested and approved before being placed into a production environment. Trace the sample of changes back to the change request log and supporting documentation.
Administrators must identify all protocols and services that are considered risky to pass through the firewall. These risky services include, but not limit to, FTP (21/tcp), Telnet (23/tcp), Rlogin (513/tcp), Rsh (514/tcp), Netbios (137-139/tcp,udp), and others. Any risky protocols or services must be immediately removed from the firewall policies.