NIST 800-53 Rev 5
424 controls available
CM-3moderatehigh
Configuration Change Control
Configuration Management
Control Statement
Determine and document the types of changes to the system that are configuration-controlled; Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses; Document configuration change decisions associated with the system; Implement approved configuration-controlled changes to the system; Retain records of configuration-controlled changes to the system for {{ insert: param, cm-03_odp.01 }}; Monitor and review activities associated with configuration-controlled changes to the system; and Coordinate and provide oversight for configuration change control activities through {{ insert: param, cm-03_odp.02 }} that convenes {{ insert: param, cm-03_odp.03 }}.
Discussion
Configuration change control for organizational systems involves the systematic proposal, justification, implementation, testing, review, and disposition of system changes, including system upgrades and modifications. Configuration change control includes changes to baseline configurations, configuration items of systems, operational procedures, configuration settings for system components, remediate vulnerabilities, and unscheduled or unauthorized changes. Processes for managing configuration changes to systems include Configuration Control Boards or Change Advisory Boards that review and approve proposed changes. For changes that impact privacy risk, the senior agency official for privacy updates privacy impact assessments and system of records notices. For new systems or major upgrades, organizations consider including representatives from the development organizations on the Configuration Control Boards or Change Advisory Boards. Auditing of changes includes activities before and after changes are made to systems and the auditing activities required to implement such changes. See also [SA-10](#sa-10).
- Framework
- NIST SP 800-53 Rev 5
- Family
- Configuration Management
- Baselines
- moderate, high
Related Frameworks
14 paths across 2 frameworks
Related Frameworks
NIST 800-1711 mapping
3.4.3
1.00
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI13 mappings
CCI-000313
1.00
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-000314
1.00
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-000316
1.00
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-000318
1.00
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-000319
1.00
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-000320
1.00
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-000321
1.00
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001586
1.00
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001740
1.00
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001741
1.00
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-001819
1.00
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-002056
1.00
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI-003912
1.00
- DISA · 2025-01-23 · disa_cci_list · equivalent
Related STIGs
81 STIGs reach this control through 49 CCIs. Expand a row to see the responsible NICE and O*NET roles.
Operating System — Server
35 STIGs
Operating System — Server
35 STIGsAmazon Linux 2023 Security Technical Implementation Guide
V1R32026-02-273 of 187 findings match
M3
Oracle Linux 7 Security Technical Implementation Guide
32025-05-083 of 243 findings match
M3
Oracle Linux 9 Security Technical Implementation Guide
12025-05-083 of 456 findings match
M3
Oracle Linux 9 Security Technical Implementation Guide
V1R52026-02-173 of 448 findings match
M3
Red Hat Enterprise Linux 9 Security Technical Implementation Guide
22025-05-143 of 450 findings match
M3
Red Hat Enterprise Linux 9 Security Technical Implementation Guide
V2R82026-02-053 of 446 findings match
M3
Oracle Linux 8 Security Technical Implementation Guide
22025-05-132 of 374 findings match
M2
Oracle Linux 8 Security Technical Implementation Guide
V2R82026-02-132 of 375 findings match
M2
Show 27 more STIGs in this category →Hide additional STIGs
Red Hat Enterprise Linux 10 Security Technical Implementation Guide
V1R12026-03-112 of 434 findings match
M2
Red Hat Enterprise Linux 8 Security Technical Implementation Guide
22025-05-142 of 369 findings match
M2
Red Hat Enterprise Linux 8 Security Technical Implementation Guide
V2R72026-02-052 of 366 findings match
M2
SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide
12025-05-082 of 210 findings match
M2
SUSE Linux Enterprise Micro (SLEM) 5 Security Technical Implementation Guide
V1R42026-02-102 of 208 findings match
M2
SUSE Linux Enterprise Server 15 Security Technical Implementation Guide
22025-05-142 of 216 findings match
M2
SUSE Linux Enterprise Server 15 Security Technical Implementation Guide
V2R72026-02-192 of 214 findings match
M2
Anduril NixOS Security Technical Implementation Guide
12024-10-251 of 104 findings match
M1
Anduril NixOS Security Technical Implementation Guide
V1R22025-08-191 of 103 findings match
M1
Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide
22025-05-161 of 187 findings match
M1
Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide
V2R82026-02-061 of 188 findings match
M1
Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide
V1R62026-02-271 of 439 findings match
M1
CloudLinux AlmaLinux OS 9 Security Technical Implementation Guide
12025-05-221 of 445 findings match
M1
General Purpose Operating System Security Requirements Guide
32024-12-041 of 198 findings match
M1
General Purpose Operating System Security Requirements Guide
V3R32025-09-221 of 203 findings match
M1
Microsoft Windows Server 2019 Security Technical Implementation Guide
32025-05-231 of 275 findings match
M1
Microsoft Windows Server 2019 Security Technical Implementation Guide
V3R82026-02-121 of 282 findings match
M1
Microsoft Windows Server 2022 Security Technical Implementation Guide
22025-05-151 of 275 findings match
M1
Microsoft Windows Server 2022 Security Technical Implementation Guide
V2R82026-02-131 of 282 findings match
M1
Microsoft Windows Server 2025 Security Technical Implementation Guide
V1R12026-02-201 of 284 findings match
M1
Solaris 11 SPARC Security Technical Implementation Guide
32025-05-051 of 217 findings match
M1
Solaris 11 SPARC Security Technical Implementation Guide
V3R52026-02-191 of 217 findings match
M1
Solaris 11 X86 Security Technical Implementation Guide
32025-05-051 of 216 findings match
M1
Solaris 11 X86 Security Technical Implementation Guide
V3R52026-02-191 of 216 findings match
M1
SUSE Linux Enterprise Server 12 Security Technical Implementation Guide
32025-05-141 of 211 findings match
M1
Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide
22025-05-081 of 226 findings match
M1
Tri-Lab Operating System Stack (TOSS) 4 Security Technical Implementation Guide
V2R52026-02-191 of 226 findings match
M1
Operating System — Mainframe
39 STIGs
Operating System — Mainframe
39 STIGsIBM z/OS ACF2 Security Technical Implementation Guide
92025-06-241 of 226 findings match
M1
IBM z/OS ACF2 Security Technical Implementation Guide
V9R82026-03-091 of 225 findings match
M1
IBM z/OS RACF Security Technical Implementation Guide
92025-06-241 of 224 findings match
M1
IBM z/OS RACF Security Technical Implementation Guide
V9R82026-03-091 of 222 findings match
M1
IBM z/OS TSS Security Technical Implementation Guide
92025-06-241 of 231 findings match
M1
IBM z/OS TSS Security Technical Implementation Guide
V9R82026-03-091 of 230 findings match
M1
IBM zSecure Suite Security Technical Implementation Guide
V1R32025-03-051 of 11 findings match
M1
Mainframe Product Security Requirements Guide
32024-12-051 of 193 findings match
M1
Show 31 more STIGs in this category →Hide additional STIGs
Mainframe Product Security Requirements Guide
V3R42025-09-101 of 194 findings match
M1
z/OS BMC CONTROL-D for ACF2 Security Technical Implementation Guide
72024-12-161 of 7 findings match
M1
z/OS BMC CONTROL-D for ACF2 Security Technical Implementation Guide
V7R22025-09-261 of 7 findings match
M1
z/OS BMC CONTROL-D for RACF Security Technical Implementation Guide
72024-12-161 of 8 findings match
M1
z/OS BMC CONTROL-D for RACF Security Technical Implementation Guide
V7R22025-09-271 of 8 findings match
M1
z/OS BMC CONTROL-D for TSS Security Technical Implementation Guide
V7R22025-09-281 of 9 findings match
M1
z/OS BMC CONTROL-M for ACF2 Security Technical Implementation Guide
72024-12-161 of 8 findings match
M1
z/OS BMC CONTROL-M for ACF2 Security Technical Implementation Guide
V7R22025-09-261 of 8 findings match
M1
z/OS BMC CONTROL-M for RACF Security Technical Implementation Guide
72024-12-161 of 9 findings match
M1
z/OS BMC CONTROL-M for RACF Security Technical Implementation Guide
V7R22025-09-271 of 9 findings match
M1
z/OS BMC CONTROL-O for ACF2 Security Technical Implementation Guide
72025-02-241 of 7 findings match
M1
z/OS BMC CONTROL-O for ACF2 Security Technical Implementation Guide
V7R22025-09-271 of 7 findings match
M1
z/OS BMC CONTROL-O for RACF Security Technical Implementation Guide
72025-02-241 of 8 findings match
M1
z/OS BMC CONTROL-O for RACF Security Technical Implementation Guide
V7R22025-09-271 of 8 findings match
M1
z/OS BMC CONTROL-O for TSS Security Technical Implementation Guide
V7R22025-09-281 of 9 findings match
M1
z/OS BMC IOA for ACF2 Security Technical Implementation Guide
72025-02-241 of 7 findings match
M1
z/OS BMC IOA for ACF2 Security Technical Implementation Guide
V7R22025-09-271 of 7 findings match
M1
z/OS BMC IOA for RACF Security Technical Implementation Guide
72025-02-241 of 8 findings match
M1
z/OS BMC IOA for RACF Security Technical Implementation Guide
V7R22025-09-271 of 8 findings match
M1
z/OS BMC IOA for TSS Security Technical Implementation Guide
V7R22025-09-281 of 9 findings match
M1
z/OS CA 1 Tape Management for ACF2 Security Technical Implementation Guide
72024-12-161 of 9 findings match
M1
z/OS CA 1 Tape Management for ACF2 Security Technical Implementation Guide
V7R22025-09-271 of 9 findings match
M1
z/OS CA 1 Tape Management for RACF Security Technical Implementation Guide
72024-12-161 of 11 findings match
M1
z/OS CA 1 Tape Management for RACF Security Technical Implementation Guide
V7R22025-09-271 of 11 findings match
M1
z/OS CA 1 Tape Management for TSS Security Technical Implementation Guide
V7R22025-09-281 of 11 findings match
M1
z/OS Front End Processor for ACF2 Security Technical Implementation Guide
72024-12-161 of 5 findings match
M1
z/OS Front End Processor for ACF2 Security Technical Implementation Guide
V7R22025-09-271 of 5 findings match
M1
z/OS Front End Processor for RACF Security Technical Implementation Guide
72024-12-161 of 5 findings match
M1
z/OS Front End Processor for RACF Security Technical Implementation Guide
V7R22025-09-271 of 5 findings match
M1
zOS BMC CONTROL-M for TSS Security Technical Implementation Guide
V7R22025-09-281 of 10 findings match
M1
zOS Front End Processor for TSS Security Technical Implementation Guide
V7R22025-09-281 of 5 findings match
M1
Network Device
4 STIGs
Network Device
4 STIGsApplication Layer Gateway Security Requirements Guide
22024-12-041 of 155 findings match
M1
Application Layer Gateway Security Requirements Guide
V2R32025-09-151 of 160 findings match
M1
IBM DataPower Network Device Management Security Technical Implementation Guide
V1R22017-10-051 of 64 findings match
M1
Riverbed NetIM OS Security Technical Implementation Guide
V1R12025-10-021 of 154 findings match
M1
Virtualization / Container
3 STIGs
Virtualization / Container
3 STIGsVirtual Machine Manager Security Requirements Guide
22024-12-061 of 193 findings match
M1
Virtual Machine Manager Security Requirements Guide
V2R32025-09-101 of 198 findings match
M1
VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide
V2R12024-07-111 of 106 findings match
M1