DCCB-2 Control Board
Overview
All information systems are under the control of a chartered Configuration Control Board that meets regularly according to DCPR-1. The IAM is a voting member of the CCB.
| MAC / CONF | Impact | Subject Area |
|---|---|---|
| MACI MACII MACIII | Medium | Security Design and Configuration |
Details
| Threat |
|---|
| Without a Configuration Control Board, arbitrary, unapproved, and undocumented changes and updates to information system baselines have the potential to negatively impact system integrity and availability. A chartered Configuration Control Board provides a vetting process for technical review and formal approval of network changes to help prevent rogue system modifications. |
| Guidance |
|---|
| 1. Each Component shall formally charter a CCB for the purpose of monitoring and controlling configuration changes within all information systems under its purview. 2. CCB members shall be appointed in writing for a specified period of time and their duties outlined by title, position, and system. 3. The IAM shall be a regular, voting member of the CCB.* 4. All decisions made by the CCB, including any changes to the system baseline, shall be documented and maintained in the appropriate configuration management system. * Note: This requirement is more stringent than DCCB-1 |
References
- CJCSI - Information Assurance (IA) and Computer Network Defense (CND)
- ANSI/EIA-649 “National Consensus Standard for Configuration Management”, July 1998