Change Control & Configuration Management Processes for FedRAMP/FISMA/CMMC Compliance

Change control and configuration management processes help maintain a secure baseline configuration of the Cloud Service Provider’s (CSP) architecture. Routine day-to-day changes are managed through the CSP’s change management process described in their Configuration Management Plan.

The configuration management control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance.

Configuration change controls for organizational information systems involve the systematic proposal, justification, implementation, testing, review, and disposition of changes to the systems, including system upgrades and modifications. Configuration change control includes changes to baseline configurations for components and configuration items of information systems, changes to configuration settings for information technology products (e.g., operating systems, applications, firewalls, routers, and mobile devices), unscheduled/unauthorized changes, and changes to remediate vulnerabilities. Typical processes for managing configuration changes to information systems include, for example, Configuration Control Boards that approve proposed changes to systems. For new development information systems or systems undergoing major upgrades, organizations consider including representatives from development organizations on the Configuration Control Boards. Auditing of changes includes activities before and after changes are made to organizational information systems and the auditing activities required to implement such changes.

Continuous Monitoring CA-7

Every organization must have a continuous monitoring strategy in place. Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies.

The FedRAMP continuous monitoring program is based on the continuous monitoring process described in NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organization. The goal is to provide: (i) operational visibility; (ii) managed change control; and (iii) attendance to incident response duties.

The FedRAMP PMO has recognized the importance of ongoing security control monitoring, which helps ensure that deployed security controls remain effective and operate as intended. As part of the FedRAMP post-authorization requirement, CSPs must periodically validate whether security controls are implemented correctly and operate as intended.

The FedRAMP ConMon process is based on the guidance in NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations. As described by NIST, the ConMon process includes the following:

  • Define – CSPs must define a continuous monitoring strategy that is based on risk tolerance, ensuring visibility into their information system assets and vulnerabilities
  • Establish – CSPs must establish a continuous monitoring program, including measures, metrics, and control assessment frequencies
  • Implement – the continuous monitoring program must be implemented to collect required data
  • Analyze and Report – the collected data must be analyzed, and findings must be reported
  • Respond – all findings must be addressed with either technical, management, and/or operational mitigating activities
  • Review and Update – based on the lessons learned, the continuous monitoring program must be reviewed and revised

The goal of the FedRAMP continuous monitoring requirement is to provide operational visibility, manage change control, and ensure incidents are responded to in a timely manner.

Security Impact Analysis CM-4

Organizational personnel with information security responsibilities (e.g., Information System Administrators, Information System Security Officers, Information System Security Managers, and Information System Security Engineers) conduct security impact analyses. Individuals conducting security impact analyses possess the necessary skills/technical expertise to analyze the changes to information systems and the associated security ramifications. Security impact analysis may include, for example, reviewing security plans to understand security control requirements and reviewing system design documentation to understand control implementation and how specific changes might affect the controls. Security impact analyses may also include assessments of risk to better understand the impact of the changes and to determine if additional security controls are required.

Are you interested in learning more about change control & configuration management processes to meet FedRAMP, FISMA, and CMMC compliance requirements? Are you interested in learning about how to implement a change and what constitutes change and what doesn’t? If yes, contact us by filling out this form to schedule an appointment with a Cloud Solution and Compliance Specialist.

Author: Bunmi Olukoya, Sr. Director, Compliance, and Consulting Services at stackArmor

SHARE

MOST RECENT

CONTACT US