GRCWatch
Sign inStart free trial

CMMC Level 2 Control CM.L2-3.4.3: System Change Control

System change control is your safeguard against unauthorized or poorly planned modifications that compromise security and compliance. This CMMC Level 2 requirement ensures every change to your information systems is tracked, reviewed, approved, and documented before deployment. For SMBs managing lean IT teams, automating this process eliminates manual tracking gaps and audit risk.

What this means

System change control requires organizations to establish and maintain formal processes for managing all changes to information systems. This includes identifying proposed changes, evaluating their security and operational impact, obtaining documented approval before implementation, and maintaining complete audit logs of all modifications. The goal is to prevent unauthorized, untested, or poorly planned changes that could introduce vulnerabilities or disrupt operations.

How to comply

  1. 1.Define a formal change management policy that covers all system modifications, including hardware, software, configurations, and security settings
  2. 2.Create a change request form or ticketing system that captures the nature of the change, business justification, risk assessment, and required approvals
  3. 3.Establish a change review board or approval process with clearly defined roles (requester, reviewer, approver) and authority levels
  4. 4.Document all changes before implementation, including what changed, who approved it, when it occurred, and what the baseline configuration was
  5. 5.Test changes in a non-production environment first to identify potential security or operational issues before deploying to live systems
  6. 6.Maintain a complete audit trail of all changes with timestamps and approver identities for compliance verification and incident investigation
  7. 7.Review and update your change control procedures regularly to reflect new systems, emerging threats, and lessons learned

Evidence auditors look for

  • Change management policy document that outlines the formal change control process
  • Change request forms or tickets showing proposed changes with business justification and risk assessment
  • Approval records from designated change review board members or system owners
  • System configuration baselines and documentation showing before/after states for each approved change
  • Change logs from change management tools (Jira, ServiceNow, Azure DevOps) with complete audit trails
  • Testing and validation records demonstrating pre-deployment verification in non-production environments
  • Monthly or quarterly change control audit reports showing compliance with approval workflows

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates change request workflows and maintains audit-ready logs of all system modifications, eliminating manual tracking and ensuring every change has documented approval before deployment.

See how GRCWatch handles this control automatically

Start free trial

Related controls

CM.L2-3.4.1 — Baseline ConfigurationCM.L2-3.4.2 — Configuration Change — DetectionSI.L2-3.14.1 — Information System MonitoringCA.L2-3.2.1 — Authorizations and Approvals