Skip to main content

CHG-06: Control Functionality Verification

CHG 9 — Critical Protect

Mechanisms exist to verify the functionality of cybersecurity and data protection controls following implemented changes to ensure applicable controls operate as designed.

Control Question: Does the organization verify the functionality of cybersecurity and/or data protection controls following implemented changes to ensure applicable controls operate as designed?

General (26)
Framework Mapping Values
CIS CSC 8.1 18.4
GovRAMP Low+ CM-03(02)
GovRAMP Moderate CM-03(02) SI-06
GovRAMP High CM-03(02) SI-06
IEC 62443-4-2 2019 CR 3.3 (7.5.1) CR 3.3 (7.5.3(1))
NIST 800-53 R4 CM-3(2) SI-6
NIST 800-53 R4 (moderate) CM-3(2)
NIST 800-53 R4 (high) CM-3(2) SI-6
NIST 800-53 R5 (source) CM-3(2) SI-6 SA-8(31)
NIST 800-53B R5 (moderate) (source) CM-3(2)
NIST 800-53B R5 (high) (source) CM-3(2) SI-6
NIST 800-53 R5 (NOC) (source) SA-8(31)
NIST 800-82 R3 MODERATE OT Overlay CM-3(2)
NIST 800-82 R3 HIGH OT Overlay CM-3(2) SI-6
NIST 800-160 3.4.10 3.4.13
NIST 800-161 R1 CM-3(2)
NIST 800-171 R3 (source) 03.04.04.b
NIST 800-171A R3 (source) A.03.04.04.b
PCI DSS 4.0.1 (source) 6.5.2 10.7.3 A3.2.2.1
PCI DSS 4.0.1 SAQ A-EP (source) 6.5.2
PCI DSS 4.0.1 SAQ C (source) 6.5.2
PCI DSS 4.0.1 SAQ D Merchant (source) 6.5.2
PCI DSS 4.0.1 SAQ D Service Provider (source) 6.5.2
SCF CORE Mergers, Acquisitions & Divestitures (MA&D) CHG-06
SCF CORE ESP Level 2 Critical Infrastructure CHG-06
SCF CORE ESP Level 3 Advanced Threats CHG-06
US (12)
Framework Mapping Values
US CERT RMM 1.2 TM:SG2.SP2
US CMS MARS-E 2.0 CM-3(2) SI-6
US FedRAMP R4 CM-3(2) SI-6
US FedRAMP R4 (moderate) SI-6
US FedRAMP R4 (high) CM-3(2) SI-6
US FedRAMP R5 (source) CM-3(2) SI-6
US FedRAMP R5 (moderate) (source) SI-6
US FedRAMP R5 (high) (source) CM-3(2) SI-6
US IRS 1075 CM-3(2)
US NISPOM 2020 8-613
US - CA CCPA 2025 7123(c)(5)(D) 7123(c)(5)(E)
US - TX TX-RAMP Level 2 CM-3(2) SI-6
EMEA (1)
Framework Mapping Values
EMEA Israel CDMO 1.0 10.6 12.30 14.10
APAC (1)
Framework Mapping Values
APAC Singapore MAS TRM 2021 7.5.5
Americas (1)
Framework Mapping Values
Americas Canada ITSP-10-171 03.04.04.B

Capability Maturity Model

Level 0 — Not Performed

There is no evidence of a capability to verify the functionality of cybersecurity and/or data protection controls following implemented changes to ensure applicable controls operate as designed.

Level 1 — Performed Informally

Change Management (CHG) efforts are ad hoc and inconsistent. CMM Level 1 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Govern changes to systems, applications and services to ensure their stability, reliability and predictability. o Notify stakeholders about proposed changes.

  • IT personnel use an informal process to:
  • Logical Access Control (LAC) limits the ability of non-administrators from making unauthorized configuration changes to systems, applications and services.
  • Requests for Change (RFC) are submitted to IT personnel.
  • prior to changes being made, RFCs are informally reviewed for cybersecurity and data protection ramifications.
  • Whenever possible, IT personnel test changes to business-critical systems/services/applications on a similarly configured IT environment as that of Production, prior to widespread production release of the change.
Level 2 — Planned & Tracked

Change Management (CHG) efforts are requirements-driven and governed at a local/regional level, but are not consistent across the organization. CMM Level 2 control maturity would reasonably expect all, or at least most, the following criteria to exist:

  • Change management is decentralized (e.g., a localized/regionalized function) and uses non-standardized methods to implement secure, resilient and compliant practices.
  • IT/cybersecurity personnel identify cybersecurity and data protection controls that are appropriate to address applicable statutory, regulatory and contractual requirements for change management.
  • Changes are tracked through a centralized technology solution to submit, review, approve and assign Requests for Change (RFC).
  • A Change Advisory Board (CAB), or similar function, exists to govern changes to systems, applications and services to ensure their stability, reliability and predictability.
  • A CAB, or similar function, reviews RFCs for cybersecurity and data protection ramifications.
  • A CAB, or similar function, notifies stakeholders to ensure awareness of the impact of proposed changes.
  • Logical Access Control (LAC) limits the ability of non-administrators from making unauthorized configuration changes to systems, applications and services.
  • Cybersecurity controls are tested after a change is implemented to ensure cybersecurity controls are operating properly.
Level 3 — Well Defined

Change Management (CHG) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Exists to govern changes to systems, applications and services to ensure their stability, reliability and predictability. o Reviews RFC for cybersecurity and data protection ramifications. o Notifies stakeholders to ensure awareness of the impact of proposed changes.

  • An IT Asset Management (ITAM) function, or similar function, ensures compliance with requirements for asset management.
  • ITAM leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets.
  • Logical Access Control (LAC) is governed to limit the ability of non-administrators from making configuration changes to systems, applications and services.
  • A formal Change Management (CM) program ensures that no unauthorized changes are made, that all changes are documented, that services are not disrupted and that resources are used efficiently.
  • The CM function has formally defined roles and associated responsibilities.
  • Changes are tracked through a centralized technology solution to submit, review, approve and assign Requests for Change (RFC).
  • A Change Advisory Board (CAB), or similar function:
  • IT personnel use dedicated development/test/staging environments to deploy and evaluate changes, wherever technically possible.
  • Up on implementing the RFC, the technician implementing a change tests to ensure anti-malware, logging and other cybersecurity and data protection controls are still implemented and operating properly.
  • A structured set of controls are tested after a change is implemented to ensure cybersecurity controls are operating properly.
  • Results from testing changes are documented.
  • A vulnerability assessment is conducted on systems/applications/services to detect any new vulnerabilities that a change may have introduced.
Level 4 — Quantitatively Controlled

See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to verify the functionality of cybersecurity and/or data protection controls following implemented changes to ensure applicable controls operate as designed.

Level 5 — Continuously Improving

See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to verify the functionality of cybersecurity and/or data protection controls following implemented changes to ensure applicable controls operate as designed.

Assessment Objectives

  1. CHG-06_A01 security functions to be verified for correct operation are defined.
  2. CHG-06_A02 organization-defined activities are initiated when anomalies are discovered.
  3. CHG-06_A03 the security requirements for the system continue to be satisfied after the system changes have been implemented.
  4. CHG-06_A04 privacy functions to be verified for correct operation are defined.
  5. CHG-06_A05 system transitional states requiring the verification of cybersecurity / data privacy functions are defined.
  6. CHG-06_A06 the frequency at which to verify the correct operation of cybersecurity / data privacy functions is defined.
  7. CHG-06_A07 alternative action(s) to be performed when anomalies are discovered are defined.
  8. CHG-06_A08 cybersecurity / data privacy functions are verified to be operating correctly.
  9. CHG-06_A09 personnel or roles to be alerted of failed cybersecurity / data privacy verification tests is/are defined.
  10. CHG-06_A10 pertinent personnel or roles is/are alerted to failed cybersecurity / data privacy verification tests.

Technology Recommendations

Micro/Small

  • Information Assurance Program (IAP)
  • Control Validation Testing (CVT) / Security Test & Evaluation (STE)

Small

  • Information Assurance Program (IAP)
  • Control Validation Testing (CVT) / Security Test & Evaluation (STE)

Medium

  • Information Assurance Program (IAP)
  • Control Validation Testing (CVT) / Security Test & Evaluation (STE)

Large

  • Information Assurance Program (IAP)
  • Control Validation Testing (CVT) / Security Test & Evaluation (STE)

Enterprise

  • Information Assurance Program (IAP)
  • Control Validation Testing (CVT) / Security Test & Evaluation (STE)

The Secure Controls Framework (SCF) is maintained by SCF Council. Use of SCF content is subject to the SCF Terms & Conditions.

Manage this control in SCF Connect

Track implementation status, collect evidence, and map controls to your compliance frameworks automatically.

Get Started Free