NIST 800-171 • LEVEL 2 • CONFIGURATION MANAGEMENT
3.4.3 — Configuration Change Control
Define the types of changes to the system that are configuration-controlled. Review proposed configuration-controlled changes to the system, and approve or disapprove such changes with explicit consideration for security impacts. Implement and document approved configuration-controlled changes to the system. Monitor and review activities associated with configuration-controlled changes to the system.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- the types of changes to the system that are configuration-controlled are defined.
- proposed configuration-controlled changes to the system are reviewed with explicit consideration for security impacts.
- proposed configuration-controlled changes to the system are approved or disapproved with explicit consideration for security impacts.
- activities associated with configuration-controlled changes to the system are monitored.
- activities associated with configuration-controlled changes to the system are reviewed.
- approved configuration-controlled changes to the system are implemented.
- approved configuration-controlled changes to the system are documented.
Practitioner Notes
Configuration change control means you have a process for proposing, reviewing, approving, and documenting any change to your systems. Nobody should be making changes on the fly without someone checking whether that change could open a security hole.
This applies to software updates, firewall rule changes, new user permissions — anything that alters how the system works.
Example 1: Use a change management board (even a simple one) and track requests in a ticketing system like Jira or ServiceNow. Create a workflow where each change request includes a security impact field. Route tickets through Change Management > Change Advisory Board (CAB) for review before any production changes are made.
Example 2: For firewall changes, use Palo Alto Panorama or a similar management platform to stage rule changes in a candidate configuration before committing. Enable the audit log under Device > Setup > Operations > Audit Logging so every proposed and committed change is tracked with the user who made it and a timestamp.