HOME

CM-5 (2)

CM-5 (2) H
Description

The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.

FedRAMP
  • H CM-5 (2) [at least every thirty (30) days]
DISA Cloud Computing SRG

Every 90 days or more frequently as the organization defines for high systems AND at least annually or more frequently as the organization defines for low and moderate systems;

When there is an incident or when planned changes have been performed

Source:
DoD RMF TAG

Supplemental Guidance

Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process.

Related Controls