Overview
All information systems are under the control of a chartered Configuration Control Board that meets regularly according to DCPR-1. The IAM is a voting member of the CCB.
Threat
Without a Configuration Control Board, arbitrary, unapproved, and undocumented changes and updates to information system baselines have the potential to negatively impact system integrity and availability. A chartered Configuration Control Board provides a vetting process for technical review and formal approval of network changes to help prevent rogue system modifications.
Guidance
1. Each Component shall formally charter a CCB for the purpose of monitoring and controlling configuration changes within all information systems under its purview.
2. CCB members shall be appointed in writing for a specified period of time and their duties outlined by title, position, and system.
3. The IAM shall be a regular, voting member of the CCB.*
4. All decisions made by the CCB, including any changes to the system baseline, shall be documented and maintained in the appropriate configuration management system.
* Note: This requirement is more stringent than DCCB-1
DoD classifies this control in the subject area of “Security Design and Configuration” with a impact of “Medium”.