ID.RA-07
Changes and exceptions are managed, assessed for risk impact, recorded, and tracked
Implementation examples
- Ex1: Implement and follow procedures for the formal documentation, review, testing, and approval of proposed changes and requested exceptions
- Ex2: Document the possible risks of making or not making each proposed change, and provide guidance on rolling back changes
- Ex3: Document the risks related to each requested exception and the plan for responding to those risks
- Ex4: Periodically review risks that were accepted based upon planned future actions or milestones
Mapped NIST 800-53 r5 controls (3)
Mapped CWE weaknesses (1)
Hover any chip for the human-reviewed coverage assessment in each direction. ← = the CWE covers this subcategory; → = this subcategory covers the CWE. F / M / P = full, mostly, partial.
All informative references (60)
- AI-SOC: AI-SOC-21
- AI-SOC: AI-SOC-05
- CCMv4.0: A&A-05
- CCMv4.0: AIS-06
- CCMv4.0: CCC-02
- CCMv4.0: CCC-03
- CCMv4.0: CCC-06
- CCMv4.0: CCC-08
- CCMv4.0: CCC-09
- CCMv4.0: CEK-05
- CCMv4.0: CEK-06
- CCMv4.0: GRC-04
- CCMv4.0: UEM-07
- CRI Profile v2.0: ID.RA-07
- CRI Profile v2.0: ID.RA-07.01
- CRI Profile v2.0: ID.RA-07.02
- CRI Profile v2.0: ID.RA-07.03
- CRI Profile v2.0: ID.RA-07.04
- CRI Profile v2.0: ID.RA-07.05
- CSF v1.1: PR.IP-3
- CoP: A5
- ISO/IEC 27001:2022: Mandatory Clause: 6.1.3
- ISO/IEC 27001:2022: Annex A Controls: 8.32
- NICE Framework: IO-WRL-006
- NICE Framework: OG-WRL-010
- NICE Framework: OG-WRL-011
- NICE Framework: OG-WRL-013
- NICE Framework: OG-WRL-014
- NICE Framework: PD-WRL-006
- NICE Framework: PD-WRL-007
- OWASP Top 10 LLM Applications: LLM03-2025
- OWASP Top 10 LLM Applications: LLM04-2025
- PCI DSS: 12.3.1
- PCI DSS: 12.3.2
- PCI DSS: 10.4.2.1
- PCI DSS: 9.5.1.2.1
- PCI DSS: 8.6.3
- SCF: CHG-01
- SCF: CHG-02
- SCF: CHG-02.1
- SCF: CHG-02.2
- SCF: CHG-03
- SCF: CHG-04
- SDOS: SDOS-AU-01
- SDOS: SDOS-GV-01
- SDOS: SDOS-GV-04
- SDOS: SDOS-IN-01
- SP 800-171 Rev 3: 03.04.03
- SP 800-171 Rev 3: 03.04.04
- SP 800-221A: MA.RI-3
- SP 800-53 Rev 5.1.1: CA-07
- SP 800-53 Rev 5.1.1: CM-03
- SP 800-53 Rev 5.1.1: CM-04
- SP 800-53 Rev 5.2.0: CA-07
- SP 800-53 Rev 5.2.0: CM-03
- SP 800-53 Rev 5.2.0: CM-04
- SP-800-37 Rev 2: RMF Select Step: TASK S-4 Documentation of Planned Control Implementations
- SP-800-37 Rev 2: RMF Implement Step: TASK I-2 Update Control Implementation Information
- SP-800-37 Rev 2: RMF Assess Step: TASK A-6 Plan of Action and Milestones
- SSDF: PO.5.2
Source: NIST Cybersecurity Framework 2.0 · CSF 2.0 → 800-53 mappings sourced from NIST Cybersecurity & Privacy Reference Tool (CPRT) · US government work — attribution requested per NIST Open License Terms. Direct CSF→CWE/CVE cross-references will be added in a Phase B LLM-authored mapping pass (not yet rendered).