Manage changes to Technology Assets, Applications, Services and Data (TAASD) through an authorized, risk-based process that evaluates, implements and validates changes before and after deployment.
Organizations ensure technology and business stakeholders assess, authorize, test, implement, monitor and validate changes to minimize production impact, preserve availability, support rollback and maintain secure configurations.
Unauthorized or poorly tested changes are one of the most consistent sources of production security failures. The CHG domain governs the process by which changes to Technology Assets, Applications, Services and Data (TAASD) get evaluated, authorized, tested, implemented and validated. The risk-based framing in the SCF's principle matters: not all changes carry the same risk and a process calibrated only for emergency patches will produce different problems than one calibrated only for major releases.
The SCF's intent for CHG is proactive change management processes. A change management process that cannot reverse a failed change is not a change management process; it is change deployment with no safety net. The SCF requires that changes be validated both before and after deployment, which means post-deployment verification is a control requirement, not an optional step that teams skip when they're confident.
Change management sits adjacent to Configuration Management (CFG) but serves a different function. CFG defines what the secure baseline looks like. CHG governs how you get from one baseline to another without introducing unauthorized or untested modifications along the way.