CMMC Practice Requirement:

Analyze the security impact of changes prior to implementation.

CMMC Requirement Explanation:

Failing to analyze changes for potential security impacts could result in the deployment of a change that increases cyber risk. By reviewing change for security impacts your can avoid this.

Example CMMC Implementation:

Before implementing a change create a plan and submit it to your change control board to identify any potential security impacts. If they identify any potential issues update your plan and resubmit it for approval.


- Scenario 1:

Alice, a system administrator wants to uninstall the anti-malware software from her company's file server. Alice wants to do this because the anti-malware software is consuming RAM on the server. She proposes this change to the change control board. The board rejects the proposal because it would have negative impacts on security. The board tells Alice to upgrade the RAM on the server instead of uninstalling the anti-malware software.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance