CM-3: Configuration Change Control

NIST Baseline: Low

Information resource owners or their designees are responsible for determining and documenting the types of changes that are configuration-controlled in the change control process for the information systems under their control, in accordance with Texas Department of Information Resources (DIR) Security Control Standard requirements. The change control process should address:
- How changes are identified, classified, prioritized, and requested;
- Identification and deployment for emergency changes;
- Assessing potential impacts from changes;
- Authorizing changes and exceptions; and
- Implementing changes and planning for back-outs.
Configuration-controlled changes must:
- Be documented, including approval decisions, a date and timeframe for the change, and the result after the change is made;
- Be reviewed to consider their potential impact to users, stability of the system and dependent resources, and impact to security, and privacy then approved or disapproved; and
- Have appropriate communications and coordination with anyone who will be impacted.
Coordinating and providing oversight for configuration change control activities is conducted through the weekly Change Advisory Board (CAB) that convenes, documents, and tracks changes.

None. See any applicable internal procedures.