03.04.03 — (a) Define the types of changes to the system that are configuration-controlled. (b) Review proposed configuration-controlled changes to the system, and approve or disapprove such changes with explicit consideration for security impacts. (c) Implement and document approved configuration-controlled changes to the system. (d) Monitor and review activities associated with configuration-controlled changes to the system.

What this control requires

(a) Define the types of changes to the system that are configuration-controlled. (b) Review proposed configuration-controlled changes to the system, and approve or disapprove such changes with explicit consideration for security impacts. (c) Implement and document approved configuration-controlled changes to the system. (d) Monitor and review activities associated with configuration-controlled changes to the system.

Source: NIST SP 800-171 R3 §03.04.03 (official control text).

Why this matters

Configuration change control prevents unauthorized or untested system modifications that could introduce vulnerabilities, cause outages, or create backdoors for attackers. Without a structured review process, well-meaning engineers can inadvertently disable security features, open firewall ports, or install vulnerable software versions. This control ensures every configuration change — from firewall rule updates to OS patches to application deployments — follows a documented approval workflow that explicitly considers security impact before implementation. It protects CUI by maintaining the integrity of security baselines and preventing configuration drift that attackers exploit.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls