Level 5 CMMC - CMMC Practices

CM.2.066  

Reference: CMMC 1.02

Family: CM

Level Introduced: 2

Practice:
Analyze the security impact of changes prior to implementation.

CMMC Clarification:
You should analyze the potential security impact of changes before implementing them. Changes to complex environments can cause unforeseen problems to systems and environments. You should perform an analysis that focuses on the security impact of changes. This can uncover potential problems before you implement the change. By doing so, you can help mitigate unforeseen problems.

Example
Someone requests major changes to the system and environment. You must complete a process with several steps before you can put the change in place. You document a detailed plan which includes the security impact of the change. A SME who did not submit the change reviews the plan. That SME tries to identify security-related issues that the change may cause. Then, they document or correct the potential issues. Also, they submit the updated change plan to your organization’s change control board.

3.4.4

Analyze the security impact of changes prior to implementation.

Discussion:
Organizational personnel with information security responsibilities (e.g., system administrators, system security officers, system security managers, and systems security engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills and technical expertise to analyze the changes to systems and the associated security ramifications. Security impact analysis may include reviewing security plans to understand security requirements and reviewing system design documentation to understand the implementation of controls and how specific changes might affect the controls. Security impact analyses may also include risk assessments to better understand the impact of the changes and to determine if additional controls are required.

[SP 800-128] provides guidance on configuration change control and security impact analysis.

Source: NIST Special Publication 800-171 Rev. 2

CM-4

SECURITY IMPACT ANALYSIS

Description:
The organization analyzes changes to the information system to determine potential security impacts prior to change implementation.

Supplemental Guidance:
Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required. Security impact analyses are scaled in accordance with the security categories of the information systems. Related controls: CA-2, CA-7, CM-3, CM-9, SA-4, SA-5, SA-10, SI-2.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02