Requirement text: CM.2.066: Analyze the security impact of changes prior to implementation.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
Organizational personnel with information security responsibilities (e.g., system
administrators, system security officers, system security managers, and systems security
engineers) conduct security impact analyses. Individuals conducting security impact
analyses possess the necessary skills and technical expertise to analyze the changes to
systems and the associated security ramifications. Security impact analysis may include
reviewing security plans to understand security requirements and reviewing system design
documentation to understand the implementation of controls and how specific changes
might affect the controls. Security impact analyses may also include risk assessments to
better understand the impact of the changes and to determine if additional controls are
required.
NIST SP 800-128 provides guidance on configuration change control and security impact
analysis.
CMMC CLARIFICATION
You should analyze the potential security impact of changes before implementing them.
Changes to complex environments can cause unforeseen problems to systems and
environments. You should perform an analysis that focuses on the security impact of
changes. This can uncover potential problems before you implement the change. By doing
so, you can help mitigate unforeseen problems.
Example
Someone requests major changes to the system and environment. You must complete a
process with several steps before you can put the change in place. You document a detailed
plan which includes the security impact of the change. A SME who did not submit the change
reviews the plan. That SME tries to identify security-related issues that the change may
cause. Then, they document or correct the potential issues. Also, they submit the updated
change plan to your organization’s change control board.
References
• NIST SP 800-171 Rev 1 3.4.4