NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-4Impact Analyses

Analyze changes to the system to determine potential security and privacy impacts prior to change implementation.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Organizational personnel with security or privacy responsibilities conduct impact analyses. Individuals conducting impact analyses possess the necessary skills and technical expertise to analyze the changes to systems as well as the security or privacy ramifications. Impact analyses include reviewing security and privacy plans, policies, and procedures to understand control requirements; reviewing system design documentation and operational procedures to understand control implementation and how specific system changes might affect the controls; reviewing the impact of changes on organizational supply chain partners with stakeholders; and determining how potential changes to a system create new risks to the privacy of individuals and the ability of implemented controls to mitigate those risks. Impact analyses also include risk assessments to understand the impact of the changes and determine if additional controls are required.

Practitioner Notes

Before you make a change to your system, you need to analyze the potential security impact. Will this change break an existing security control? Could it introduce a new vulnerability?

Example 1: Before upgrading your firewall firmware, review the vendor release notes for known security issues and test the upgrade in a lab to verify existing rules still function.

Example 2: Include a security impact analysis section in every change request in ServiceNow that requires the submitter to identify which security controls might be affected.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency