SA-10-727 Developer Configuration Management

Developer Configuration Management

Control ID

SA-10-727

Control Name

Developer Configuration Management

Control Category

Security Assessment and Authorization

Functional Areas

Protect

Sub-Areas

Change Management

NIST Baseline Level(s)

MOD, HIGH

NIST Priority

State Implementation Required

Yes

Agency Last Implemented Date

August 16, 2017

Agency Implementation

Information resource owners shall require that all changes to production systems follow the Agency's approved change management process.

Risk Statement

Changes are made to production systems without a formal change process.

Control Description

The organization requires the developer of the information system, system component, or information system service to: a. Perform configuration management during system, component, or service [Selection (one or more): design; development; implementation; operation]; b. Document, manage, and control the integrity of changes to [Assignment: organization-defined configuration items under configuration management]; c. Implement only organization-approved changes to the system, component, or service; d. Document approved changes to the system, component, or service and the potential security impacts of such changes; and e. Track security flaws and flaw resolution within the system, component, or service and report findings to [Assignment: organization-defined personnel].

Control Example

The organization should have documented change control procedures that: a. requires approval for making changes; b. takes into account impact on information security and related configurations; c. performs appropriate level of testing of changes, including information security, as applicable; d. tracks defects and security flaws; and e. requires approval from appropriate level of management for authorizing changes into production.

State Implementation

All security-related information resources changes shall be approved by the information owner through a change control process. Approval shall occur prior to implementation by the state organization or independent contractors.

Testing Procedures

Obtain system and services acquisition policy; procedures addressing information system developer/integrator configuration management; acquisition contracts and service level agreements; information system developer/integrator configuration management plan; security flaw tracking records; system change authorization records; other relevant documents or records and ascertain if : (I)the organization requires that information system developers create and implement a configuration management plan that controls changes to the system during development, tracks security flaws, requires authorization of changes, and provides documentation of the plan and its implementation.