Changes to the configuration of information systems must be analyzed to determine potential security impacts.


  • The intended audience includes, but is not limited to, custodians and/or owners of an information resource.


  • 1

    Information resource custodians and/or owners should consider and document the potential impact to information security prior to the implementation of a change in configuration.

  • 2

    All changes to security-related information resources shall be approved by the information owner through a documented change control process.


    The degree to which change management activities and processes are employed is dependent upon the projected inherent risk of the change (e.g., potential for unplanned disruption of service, corruption/loss of data, or disclosure of confidential information resulting from the change implementation) and the complexity of the information resources (e.g., number of users, interconnections with other systems, or number of components or subsystems).