Configuration Management 3.4.3 (3.4.3)

Track, review, approve or disapprove, and log changes to organizational systems.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to maintain a formal process for managing changes to their systems. Every change must be tracked, reviewed by appropriate personnel, formally approved or rejected, and documented in logs. This includes software updates, configuration changes, security patches, and any modifications to system components. The goal is to prevent unauthorized or poorly planned changes that could introduce security vulnerabilities or disrupt operations.

Control Intent

To ensure that changes to organizational systems are deliberate, authorized, and documented, preventing unauthorized modifications and maintaining system integrity and security posture.

Who This Control Applies To

  • All organizational systems that process, store, or transmit CUI
  • Development systems and test environments that will eventually process CUI
  • Infrastructure components including servers, network devices, and security appliances
  • Applications and software systems within the CDE or security boundary
  • Cloud-hosted systems and services under organizational control
  • Configuration management databases and asset inventories

Not Applicable When

  • Systems explicitly scoped out of the CUI environment
  • Standalone systems with no network connectivity and no CUI access
  • Systems owned and managed entirely by external service providers where the organization has no administrative access
  • End-user workstations where changes are controlled through centralized management tools covered under other controls

Key Objectives

  • 1Establish a formal change management process that requires tracking, review, approval, and logging of all system changes.
  • 2Prevent unauthorized or undocumented changes that could introduce security vulnerabilities or operational disruptions.
  • 3Maintain an auditable record of all changes to support incident investigation, compliance verification, and system integrity validation.
  • 4Ensure changes are properly evaluated for security impact before implementation.

Sample Self-Assessment Questions (Partial)

Do you have a formal process for requesting and approving changes to your systems?

Are all system changes documented before they are made?

Implementation Approaches (High-Level)

Formal Change Management System with CAB

A structured change management process using dedicated software with a Change Advisory Board that reviews and approves all significant changes.

Spreadsheet-Based Change Log with Email Approval

A simpler approach using spreadsheets to track changes with email-based approval workflows, suitable for smaller organizations.

Version Control System for Configuration Changes

Using version control systems like Git to track, review, and approve configuration changes through pull requests and merge approvals.

Managed Service Provider Change Management

Leveraging an MSP's existing change management process with contractual requirements for documentation and approval.

Cloud Provider Native Change Tracking

Using cloud platform native tools to track and log configuration changes with approval workflows.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If no formal change management process exists, create a POA&M with milestones for policy development, tool selection, and process implementation If changes are being made but not documented, implement interim spreadsheet-based tracking immediately while working toward a formal system If emergency changes bypass the process, document a formal emergency change procedure with retroactive approval requirements If third-party changes are not tracked, add contractual requirements and implement a process for vendor change notification If audit logs do not capture sufficient change detail, enhance logging configuration and retention policies If CAB does not exist, establish a change review board with defined membership and meeting schedule Prioritize implementing change control for systems with highest CUI exposure first Consider phased implementation starting with major changes and expanding to routine changes Ensure POA&M includes training for personnel on new change management procedures

Related CMMC Controls

3.4.13.4.23.4.83.3.13.3.23.1.13.6.13.14.6

Frequently Asked Questions

What types of changes require formal approval under this control?

All changes to organizational systems that process, store, or transmit CUI require formal approval. This includes software updates, patches, configuration changes, hardware modifications, network changes, and security setting adjustments. Even routine maintenance should be documented, though organizations may establish different approval levels based on change risk and impact.

How do we handle emergency changes that need to be implemented immediately?

Emergency changes should follow an expedited approval process but still require documentation and approval. Best practice is to implement the emergency change with verbal or email approval from an authorized person, then retroactively document it in your formal change management system within 24-48 hours. Your procedures should define what constitutes an emergency and who can authorize emergency changes.

Do we need a Change Advisory Board for CMMC Level 2 compliance?

A formal Change Advisory Board (CAB) is not explicitly required, but you must have a documented process for reviewing and approving changes. For small organizations, this might be a single designated approver. Larger organizations typically benefit from a CAB that includes representatives from IT, security, and business units to ensure comprehensive change review.

What level of detail is required in change logs?

Change logs must capture enough information to support audit and investigation. At minimum, document: what system was changed, what specifically was changed, who requested the change, who approved it, when it was implemented, and why the change was necessary. Include before and after configurations when possible. Assessors need to be able to reconstruct the change from your documentation.

How do we track changes made by our managed service provider or cloud vendor?

You must ensure your MSP or vendor provides change documentation that meets this control's requirements. Include change management requirements in your contracts, require notification and approval for changes, and obtain regular change reports. For cloud services, use native logging tools and ensure you have access to audit trails showing configuration changes.

Are there any changes that can be exempt from this control?

While the control applies broadly, organizations may define categories of low-risk routine changes that follow a simplified approval process. However, all changes must still be logged and tracked. Changes that affect security controls, CUI access, or system boundaries should always require full formal approval regardless of how routine they may seem.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.