SYSTEM AND ENVIRONMENT CHANGES
Monitor the information system and its environment of operation for changes that impact the security and privacy posture of the system.
Potential Inputs: Organizational continuous monitoring strategy; organizational configuration management policy and procedures; organizational policy and procedures for handling unauthorized system changes; security and privacy plans; configuration change requests/approvals; system design documentation; security and privacy assessment reports; plans of action and milestones; information from automated and manual monitoring tools.
Expected Outputs: Updated security and privacy plans; updated plans of action and milestones; updated security and privacy assessment reports.
Primary Responsibility: System Owner or Common Control Provider; Senior Agency Information Security Officer; Senior Agency Official for Privacy.
Supporting Roles: Senior Accountable Official for Risk Management or Risk Executive (Function); Authorizing Official or Authorizing Official Designated Representative; Information Owner or Steward; System Security Officer; System Privacy Officer.
System Development Life Cycle Phase: New – Operations/Maintenance. Existing – Operations/Maintenance.
Discussion: Systems and environments of operation are in a constant state of change with changes occurring in the technology or machine elements, human elements, and physical or environmental elements. Changes to the technology or machine elements include for example, upgrades to hardware, software, or firmware; changes to the human elements include for example, staff turnover or a reduction in force; and modifications to the surrounding physical and environmental elements include for example, changes in the location of the facility or the physical access controls protecting the facility. Changes made by external providers can be difficult to detect. A disciplined and structured approach to managing, controlling, and documenting changes to systems and environments of operation, and adherence with terms and conditions of the authorization, is an essential element of security and privacy programs. Organizations establish configuration management and control processes to support configuration and change management.105
Common activities within organizations can cause changes to systems or the environments of operation and can have a significant impact on the security and privacy posture of systems. Examples include installing or disposing of hardware, making changes to configurations, and installing patches outside of the established configuration change control process. Unauthorized changes may occur because of purposeful attacks by adversaries or inadvertent errors by authorized personnel. In addition to adhering to the established configuration management process, organizations monitor for unauthorized changes to systems and analyze information about unauthorized changes that have occurred to determine the root cause of the unauthorized change. In addition to monitoring for unauthorized changes, organizations continuously monitor systems and environments of operation for any authorized changes that impact the privacy posture of systems.106
Once the root cause of an unauthorized change (or an authorized change that impacts the privacy posture of the system) has been determined, organizations respond accordingly (see Task M-3). For example, if the root cause of an unauthorized change is determined to be an adversarial attack, multiple actions could be taken such as invoking incident response processes, adjusting intrusion detection and prevention tools and firewall configurations, or implementing additional or stronger controls to reduce the risk of future attacks. If the root cause of an unauthorized change is determined to be a failure of staff to adhere to established configuration management processes, remedial training for certain individuals may be warranted.
References: [SP 800-30]; [SP 800-128]; [SP 800-137]; [IR 8062].
105 [SP 800-128] provides guidance on security-focused configuration management (SecCM). Note that the SecCM process described in [SP 800-128] includes a related monitoring step.
106 For information about the distinction between authorized and unauthorized system behavior, see the discussion of security and privacy in Section 2.3.