NIST 800-171 • LEVEL 2 • CONFIGURATION MANAGEMENT

3.4.4Impact Analyses

Analyze changes to the system to determine potential security impacts prior to change implementation. Verify that the security requirements for the system continue to be satisfied after the system changes have been implemented.

CMMC Practice Mapping

NIST 800-53 Controls

CM-3(2)

Assessment Objectives

  • the security requirements for the system continue to be satisfied after the system changes have been implemented.
  • changes to the system are analyzed to determine potential security impacts prior to change implementation.

Practitioner Notes

Before you make any change to a system, you need to think through how it could affect security. Will this patch break an existing security control? Will opening this port expose something sensitive? After the change goes in, you verify that your security posture is still intact.

This is about looking before you leap — and checking after you land.

Example 1: Before applying a Windows update or configuration change, run a vulnerability scan with Tenable Nessus or Tenable.sc. After the change, re-scan the same targets and compare results using the Scan Comparison report under Reports > Report Templates to confirm no new vulnerabilities were introduced.

Example 2: In your change request ticket, include a mandatory "Security Impact Analysis" field that requires the requester to assess whether the change affects access controls, encryption, logging, or network segmentation. Use a checklist template tied to NIST 800-53 control families (AC, AU, SC, etc.) so nothing gets overlooked.

Related NIST 800-171 Requirements

3.4.1 Baseline Configuration 3.4.2 Configuration Settings 3.4.3 Configuration Change Control 3.4.5 Access Restrictions for Change