📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict

FedRAMP Controls / CM

CM-3 Configuration Change Control

Family CM
Baselines moderate
Mapped KSIs 4

Control statement

a. Determine and document the types of changes to the system that are configuration-controlled;
    b. Review proposed configuration-controlled changes to the system and approve or disapprove such changes with explicit consideration for security and privacy impact analyses;
    c. Document configuration change decisions associated with the system;
    d. Implement approved configuration-controlled changes to the system;
    e. Retain records of configuration-controlled changes to the system for {{ insert: param, cm-03_odp.01 }};
    f. Monitor and review activities associated with configuration-controlled changes to the system; and
    g. Coordinate and provide oversight for configuration change control activities through {{ insert: param, cm-03_odp.02 }} that convenes {{ insert: param, cm-03_odp.03 }}.
        Requirement: The service provider establishes a central means of communicating major changes to or developments in the information system or environment of operations that may affect its services to the federal government and associated service consumers (e.g., electronic bulletin board, web status page). The means of communication are approved and accepted by the JAB/AO.
        (e) Guidance: In accordance with record retention policies and procedures.

Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is preserved in the catalog database.

Covered by these Key Security Indicators

KSITitleCategory
KSI-CMT-01Log and Monitor Changes
Log and monitor modifications to the cloud service offering.
Change Management
KSI-CMT-02Redeployment
Execute changes to _machine-based_ _information resources_ through redeployment of version controlled immutable resources rather than direct modification wherever possible.
Change Management
KSI-CMT-03Automated Testing and Validation
Automate persistent testing and validation of changes throughout deployment.
Change Management
KSI-CMT-04Change Management Procedures
_Persistently_ review the effectiveness of documented change management procedures.
Change Management