NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-3(4)Security and Privacy Representatives

Require {{ insert: param, cm-3.4_prm_1 }} to be members of the {{ insert: param, cm-03.04_odp.03 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Information security and privacy representatives include system security officers, senior agency information security officers, senior agency officials for privacy, or system privacy officers. Representation by personnel with information security and privacy expertise is important because changes to system configurations can have unintended side effects, some of which may be security- or privacy-relevant. Detecting such changes early in the process can help avoid unintended, negative consequences that could ultimately affect the security and privacy posture of systems. The configuration change control element referred to in the second organization-defined parameter reflects the change control elements defined by organizations in [CM-3g](#cm-3_smt.g).

Practitioner Notes

This enhancement requires that security and privacy representatives be involved in the change control process — not just IT operations.

Example 1: Include your ISSO (Information System Security Officer) as a required approver on all change requests in ServiceNow before changes can proceed to implementation.

Example 2: Add a security impact assessment checklist to your change request template that must be completed by the security team before the CCB votes on approval.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency