CM-3e Parameter Requirement: Retained for a period of not less than 1 year or in accordance with record retention policies and procedures; whichever is greater.
Audits and reviews activities associated with configuration-controlled changes to the information system; and Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more):
Assignment: organization-defined frequency
Assignment: organization-defined configuration change conditions
**CM-3g Parameters 1-3 Requirement: **GSA S/SO or Contractor recommendation to be approved and accepted by the GSA AO. Systems shall establish a central means (bulletin, status page, etc) of communicating major changes/development affecting services.
The customer is responsible for establishing a Configuration Change Control process for their information systems built on the AWS infrastructure. This includes controlling the configuration of the guest Operating System and any applications that are installed on the customer’s instances.
Additionally, the customer is responsible for testing, validating, analyzing changes to their information system built on the AWS infrastructure to determine potential security impacts, and documenting changes to the information system before implementing the changes on their operational systems built on the AWS infrastructure. This also includes the guest Operating System and any applications that are installed on the customer’s instances.