MIL1 requirements
a. Changes to assets are evaluated and approved before being implemented, at least in an ad hoc manner
b. Changes to assets are documented, at least in an ad hoc manner
MIL2 requirements
c. Documentation requirements for asset changes are established and maintained
d. Changes to higher priority assets are tested prior to being deployed
e. Changes and updates are implemented in a secure manner
f. The capability to reverse changes is established and maintained for assets that are important to the delivery of the function
g. Change management practices address the full lifecycle of assets (for example, acquisition, deployment, operation, retirement)
MIL3 requirements
h. Changes to higher priority assets are tested for cybersecurity impact prior to being deployed
i. Change logs include information about modifications that impact the cybersecurity requirements of assets
In systematic cyber security work, the impact of significant changes must be assessed in advance and they must be executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.
Significant changes may include: changes in the organization, operating environment, business processes and data systems. Changes can be identified e.g. through management reviews and other cyber security work.