Distribution Statement A: Approved for Public Release; Distribution is Unlimited 37
Appendix D. CRR/CERT-RMM Practice/NIST CSF Subcategory Reference
Table 4 cross-references the CRR Configuration and Change Management Domain goals and practice
questions to the NIST CSF Categories/Subcategories and the sections of this guide that address those
questions. Users of this guide may wish to review the CRR Question Set with Guidance available at
https://www.us-cert.gov/ccubedvp for more information on interpreting practice questions. The NIST CSF,
available at https://www.us-cert.gov/ccubedvp, also provides informative references for interpreting Category
and Subcategory statements.
Table 4: Cross-Reference of CRR Goals/Practices and NIST CSF Category/Subcategory Against the Configuration
and Change Management Resource Guide
CRR Goal and Practice [CERT-RMM
Reference]
NIST CSF Category/Subcategory
Configuration and
Change Management
Resource Guide
Reference
Goal 1: The lifecycle of assets is managed.
1. Is a change management process used to
manage modifications to assets?
[ADM:SG3.SP2]
PR.IP-3: Configuration change control processes are
in place.
Section III
2. Are resilience requirements evaluated as a
result of changes to assets? [RRM:SG1.SP3]
PR.IP-3: Configuration change control processes are
in place.
Section III, Step 7
3. Is capacity management and planning
performed for assets? [TM:SG5.SP3]
PR.DS-4: Adequate capacity to ensure availability is
maintained.
Section III, Step 3
Section III, Step 11
4. Are change requests tracked to closure?
[TM:SG4.SP3]
PR.IP-3: Configuration change control processes are
in place.
Section V, Step 6
5. Are s
takeholders notified when they are
affected by changes to assets? [SC:SG3.SP4]
PR.IP-3: Configuration change control processes are
in place.
Section V, Step 3
Section V, Step 4
Goal 2: The integrity of technology and
information assets is managed.
—
1. Is configuration management performed for
technology assets? [TM:SG4.SP2]
PR.IP-1: A baseline configuration of information
technology/industrial control systems is created and
maintained.
Section II
2. Are techniques in use to detect changes to
technology assets? [TM:SG4.SP2]
PR.DS-6: Integrity checking mechanisms are used to
verify software, firmware, and information integrity.
Section VI
3. Are modifications to technology assets
reviewed? [TM:SG4.SP3; TM:SG4:SP2]
PR.IP-1: A baseline configuration of information
technology/industrial control systems is created and
maintained.
Section VI, Step 5
PR.IP-3: Configuration change
control processes are
in place.
4. Are integrity requirements used to determine
which staff members are authorized to modify
information assets? [KIM:SG5:SP1]
PR.AC-4: Access permissions are managed,
incorporating the principles of least privilege and
separation of duties.
Section III, Step 3
PR.IP-3: Configuration change control processes are
in place.
PR.IP-11: Cybersecurity is included in human
resources practices (e.g., deprovisioning, personnel
screening).
5. Is the integrity of information assets
monitored? [KIM:SG5.SP3]
PR.DS-6: Integrity checking mechanisms are used to
verify software, firmware, and information integrity.
Section VI, Step 3
6. Are unauthorized or
unexplained
modifications to technology assets addressed
[TM:SG4.SP2; TM:SG4:SP3]
PR.IP-3: Configuration change control processes are
in place.
Section VI, Step 5
7. Are modifications to technology assets
tested before being committed to production
systems? [TM:SG4.SP4]
PR.DS-7: The development and testing environment(s)
are separate from the production environment.
Section V, Step 2