CHG-05: Stakeholder Notification of Changes
Mechanisms exist to ensure stakeholders are made aware of and understand the impact of proposed changes.
Control Question: Does the organization ensure stakeholders are made aware of and understand the impact of proposed changes?
General (28)
| Framework | Mapping Values |
|---|---|
| AICPA TSC 2017:2022 (used for SOC 2) (source) | CC2.2-POF13 CC8.1 |
| COBIT 2019 | EDM05.01 EDM05.02 EDM05.03 |
| CSA CCM 4 | CCC-05 CEK-06 TVM-09 |
| GovRAMP Core | CM-09 |
| GovRAMP Low+ | CM-09 |
| GovRAMP Moderate | CM-09 |
| GovRAMP High | CM-09 |
| ISO 42001 2023 | A.5.2 A.5.3 |
| NIST AI 100-1 (AI RMF) 1.0 | GOVERN 5.0 |
| NIST 800-53 R4 | CM-9 |
| NIST 800-53 R4 (moderate) | CM-9 |
| NIST 800-53 R4 (high) | CM-9 |
| NIST 800-53 R5 (source) | CM-9 |
| NIST 800-53B R5 (moderate) (source) | CM-9 |
| NIST 800-53B R5 (high) (source) | CM-9 |
| NIST 800-82 R3 MODERATE OT Overlay | CM-9 |
| NIST 800-82 R3 HIGH OT Overlay | CM-9 |
| NIST 800-160 | 3.4.10 3.4.13 |
| NIST 800-161 R1 | CM-9 |
| NIST 800-161 R1 Flow Down | CM-9 |
| NIST 800-161 R1 Level 2 | CM-9 |
| NIST 800-161 R1 Level 3 | CM-9 |
| NIST 800-171 R2 (source) | NFO-CM-9 |
| NIST 800-171 R3 (source) | 03.04.11.b |
| NIST 800-171A R3 (source) | A.03.04.11.b[01] A.03.04.11.b[02] |
| SCF CORE Mergers, Acquisitions & Divestitures (MA&D) | CHG-05 |
| SCF CORE ESP Level 2 Critical Infrastructure | CHG-05 |
| SCF CORE ESP Level 3 Advanced Threats | CHG-05 |
US (4)
| Framework | Mapping Values |
|---|---|
| US CERT RMM 1.2 | TM:SG4.SP2 |
| US CMS MARS-E 2.0 | CM-9 |
| US IRS 1075 | CM-9 |
| US - TX TX-RAMP Level 2 | CM-9 |
EMEA (1)
| Framework | Mapping Values |
|---|---|
| EMEA Saudi Arabia IoT CGIoT-1 2024 | 1-5-3 |
Americas (1)
| Framework | Mapping Values |
|---|---|
| Americas Canada ITSP-10-171 | 03.04.11.B |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to ensure stakeholders are made aware of and understand the impact of proposed changes.
Level 1 — Performed Informally
Change Management (CHG) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Govern changes to systems, applications and services to ensure their stability, reliability and predictability. o Notify stakeholders about proposed changes.
- IT personnel use an informal process to:
- Logical Access Control (LAC) limits the ability of non-administrators from making unauthorized configuration changes to systems, applications and services.
- Requests for Change (RFC) are submitted to IT personnel.
- prior to changes being made, RFCs are informally reviewed for cybersecurity and data privacy ramifications.
- Whenever possible, IT personnel test changes to business-critical systems/services/applications on a similarly configured IT environment as that of Production, prior to widespread production release of the change.
Level 2 — Planned & Tracked
Change Management (CHG) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:
- Change management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
- IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for change management.
- Changes are tracked through a centralized technology solution to submit, review, approve and assign Requests for Change (RFC).
- A Change Advisory Board (CAB), or similar function, exists to govern changes to systems, applications and services to ensure their stability, reliability and predictability.
- A CAB, or similar function, reviews RFCs for cybersecurity and data privacy ramifications.
- A CAB, or similar function, notifies stakeholders to ensure awareness of the impact of proposed changes.
- Logical Access Control (LAC) limits the ability of non-administrators from making unauthorized configuration changes to systems, applications and services.
- Cybersecurity controls are tested after a change is implemented to ensure cybersecurity controls are operating properly.
Level 3 — Well Defined
Change Management (CHG) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Exists to govern changes to systems, applications and services to ensure their stability, reliability and predictability. o Reviews RFC for cybersecurity and data privacy ramifications. o Notifies stakeholders to ensure awareness of the impact of proposed changes.
- An IT Asset Management (ITAM) function, or similar function, ensures compliance with requirements for asset management.
- ITAM leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets.
- Logical Access Control (LAC) is governed to limit the ability of non-administrators from making configuration changes to systems, applications and services.
- A formal Change Management (CM) program ensures that no unauthorized changes are made, that all changes are documented, that services are not disrupted and that resources are used efficiently.
- The CM function has formally defined roles and associated responsibilities.
- Changes are tracked through a centralized technology solution to submit, review, approve and assign Requests for Change (RFC).
- A Change Advisory Board (CAB), or similar function:
- IT personnel use dedicated development/test/staging environments to deploy and evaluate changes, wherever technically possible.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to ensure stakeholders are made aware of and understand the impact of proposed changes.
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to ensure stakeholders are made aware of and understand the impact of proposed changes.
Assessment Objectives
- CHG-05_A01 as part of the organization's change management processes, stakeholders are alerted to spread awareness of the potential impact(s) from proposed changes.
- CHG-05_A02 changes to the system or system component location where sensitive / regulated data is processed are documented.
- CHG-05_A03 changes to the system or system component location where sensitive / regulated data is stored are documented.
- CHG-05_A04 changes to the system or system component location where CUI is processed are documented.
- CHG-05_A05 changes to the system or system component location where CUI is stored are documented.
Technology Recommendations
Micro/Small
- Change management procedures
- Change Control Board (CCB)
- VisibleOps (https://itpi.org)
- ITIL 4 (https://axelos.com)
Small
- Change management procedures
- Change Control Board (CCB)
- VisibleOps (https://itpi.org)
- ITIL 4 (https://axelos.com)
Medium
- Change management procedures
- Change Control Board (CCB)
- VisibleOps (https://itpi.org)
- ITIL 4 (https://axelos.com)
Large
- Change management procedures
- Change Control Board (CCB)
- VisibleOps (https://itpi.org)
- ITIL 4 (https://axelos.com)
Enterprise
- Change management procedures
- Change Control Board (CCB)
- VisibleOps (https://itpi.org)
- ITIL 4 (https://axelos.com)