NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-3(1)Automated Documentation, Notification, and Prohibition of Changes

Use organization-defined parameter to: Document proposed changes to the system; Notify organization-defined parameter of proposed changes to the system and request change approval; Highlight proposed changes to the system that have not been approved or disapproved within organization-defined parameter; Prohibit changes to the system until designated approvals are received; Document all changes to the system; and Notify organization-defined parameter when approved changes to the system are completed.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

None.

Practitioner Notes

This enhancement requires automated tools to document changes, notify stakeholders, and prevent unauthorized changes — taking the human error out of change management.

Example 1: Configure ServiceNow to automatically send email notifications to the security team and CCB members when change requests are submitted, approved, or implemented.

Example 2: Use Azure Policy or AWS Config Rules to automatically block changes that violate your security baseline and log all attempted modifications.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency