Episode 19 — CC8 Change Management & SDLC (incl. IaC Basics)
The purpose and scope of Common Criteria 8 (CC8) focus on how organizations govern change—whether to infrastructure, code, or configurations—without compromising stability, security, or compliance. Change management under CC8 ensures that every modification is planned, tested, reviewed, and approved before release. It also integrates with the Secure Software Development Lifecycle (SDLC), embedding quality and risk mitigation from design through deployment. With the growing adoption of Infrastructure as Code (IaC), CC8 extends these expectations to automated infrastructure provisioning, ensuring that every script or pipeline is version-controlled, peer-reviewed, and auditable. The goal is clear: sustain reliability, traceability, and accountability so that innovation never comes at the expense of assurance.
The first step in a disciplined program is change classification and risk assessment. Changes should be categorized based on potential impact and urgency—standard, normal, or emergency. Standard changes are routine, low-risk, and often preapproved, such as scheduled patch cycles. Normal changes carry moderate risk and require structured testing and approvals. Emergency changes, reserved for critical incidents, receive expedited handling but require retrospective review. Each classification should include a risk score that dictates review depth, testing rigor, and required approvers. Documenting classification rationale ensures consistency and enables auditors to trace why a particular path was chosen. A well-tuned classification matrix turns change management from bureaucracy into a practical risk-control mechanism.
The Change Advisory Board (CAB) provides formal oversight for significant changes. Its membership should represent key operational, security, and business stakeholders capable of evaluating readiness and risk. The CAB’s purpose isn’t to slow change but to verify that high-impact releases meet quality standards and that rollback plans exist. Meetings should be structured with quorum requirements, defined review criteria, and documented minutes capturing decisions and rationale. Deferred or rejected changes must include improvement notes for resubmission. By maintaining transparent records of deliberations, the CAB demonstrates governance maturity while empowering informed, risk-balanced progress.
The SDLC framework under CC8 defines how code moves from idea to production. Environments must be separated—development, testing, staging, and production—to prevent unverified code from reaching users. Duties should be clearly divided: developers write and test, reviewers approve, and release teams deploy. Peer reviews and merge controls are non-negotiable, ensuring that multiple sets of eyes evaluate every change. Testing standards, including acceptance criteria, must be defined for functionality, performance, and security. When these stages operate consistently, each environment acts as a quality filter, ensuring that what reaches production has already proven its resilience under controlled conditions.
Sound source control discipline is the backbone of both SDLC and IaC. All code, configuration, and scripts must reside in version-controlled repositories. Branch protection rules and pull request reviews ensure that no unauthorized or unreviewed changes merge into main branches. Commit messages must link to corresponding tickets or change requests, creating a traceable narrative from business need to technical execution. Automated pre-merge checks—linting, static analysis, and syntax validation—catch errors early. Source control records also serve as a forensic record, showing exactly who changed what, when, and why—an invaluable asset during audits or incident investigations.
Adopting Infrastructure as Code (IaC) extends software engineering discipline to infrastructure operations. Declarative templates describe systems, networks, and policies, making environments reproducible and version-controlled. Peer review of IaC changes provides oversight equivalent to that of code reviews. Validation pipelines run automated tests and linting to detect misconfigurations before deployment. Rollback capabilities, enabled through state management and immutable storage, ensure that infrastructure can be restored to its last known good state quickly. IaC reduces configuration drift and enables consistent, repeatable environments across development and production, transforming operations into predictable, testable, and auditable code.
The change approval workflow formalizes accountability. Every change request must include a documented risk assessment, owner, and reviewer assignment. Sensitive or production-related updates require dual sign-off—often by both technical and business stakeholders. Approvals should link to supporting artifacts, such as test results or change validation evidence. Automated workflows in ticketing systems or CI/CD pipelines enforce consistency, ensuring that no deployment bypasses required steps. This governance layer balances agility and control, ensuring that speed never undermines safety or auditability.
Effective testing and validation practices are the difference between theoretical and operational assurance. Functional testing verifies that features perform as intended; integration testing confirms that new changes don’t disrupt existing systems; regression testing ensures that fixes don’t reintroduce prior issues. Security and performance tests validate resilience under stress and against attack vectors. Testing should occur in staging environments that mirror production as closely as possible. Results must be signed by testers and archived as evidence. By codifying validation procedures, CC8 ensures that quality is proven before release, not assumed after deployment.
Deployment and release management represent the final checkpoint before customers experience change. Automation through CI/CD pipelines reduces error and improves traceability, as each deployment step generates logs and evidence. Techniques such as canary, blue-green, or rolling deployments allow gradual release and rapid rollback if anomalies arise. Contingency plans define rollback triggers and owners responsible for execution. Post-deployment verification ensures that the change achieved its intended result without unintended effects. This structured release discipline preserves uptime while enabling continuous delivery, demonstrating that innovation and stability can coexist.
Despite best preparation, urgent scenarios demand clear emergency change handling. Criteria for invoking emergency procedures should be explicit—typically critical production outages or severe security vulnerabilities. These changes require expedited approval but must still include validation, testing in controlled conditions, and documented impact analysis. Retrospective reviews by the CAB confirm whether the response was justified and identify improvements for future readiness. Emergency change governance proves the organization’s ability to act decisively under pressure while maintaining traceability and control.
Finally, configuration drift prevention ensures that systems remain aligned with approved baselines after deployment. Drift detection tools compare live configurations to golden templates, alerting when unauthorized or unplanned changes appear. Automated reconciliation restores compliance by reapplying baseline settings or triggering change tickets for investigation. Regular audits confirm that configurations remain consistent across environments. Drift control closes the loop between design, deployment, and monitoring, reinforcing the integrity of the operational ecosystem.
For more cyber related content and books, please check out cyber author dot me. Also, there are other prepcasts on Cybersecurity and more at Bare Metal Cyber dot com.
The principle of segregation of duties (SoD) ensures that no single individual has unchecked control over the entire change process. Developers should not have direct deployment rights to production, and administrators should not merge unreviewed code. Separate credentials and access roles enforce these boundaries, while peer reviews act as a second layer of defense against accidental or malicious alterations. Release managers or change coordinators oversee approvals to maintain independence. Segregation is more than a compliance checkbox—it is a safeguard against human error and insider risk. When each role has defined authority and oversight, accountability becomes embedded in every deployment decision.
Modern organizations rely heavily on tooling and automation enablement to enforce these principles at scale. Ticketing systems such as Jira or ServiceNow integrate with CI/CD pipelines, ensuring that every code commit or infrastructure update references an approved change request. Approvals are enforced programmatically—deployments simply cannot proceed without the required sign-offs. Audit logs record every step from build to release, providing full visibility for reviewers and auditors. Dashboards display throughput, change frequency, and risk ratings, allowing teams to balance velocity with safety. Automation shifts change management from a manual bottleneck into a governed, transparent process embedded within daily workflows.
Security and quality assurance depend on proactive static and dynamic analysis. Static Application Security Testing (SAST) tools scan source code and IaC templates for vulnerabilities, secrets, or insecure patterns before deployment. Software composition analysis tracks dependencies and generates a Software Bill of Materials (SBOM) to identify third-party components subject to known vulnerabilities. Dynamic testing (DAST) simulates attacks on running applications to expose configuration and runtime weaknesses. All results must feed directly into remediation workflows or issue backlogs for tracking and closure. This integration between code analysis and change control ensures vulnerabilities are managed as part of normal development—not as afterthoughts.
Version control doesn’t stop at code—it extends to infrastructure and releases through versioning and rollback control. Semantic versioning gives structure to numbering, clearly signaling the nature of changes: patches, minor enhancements, or major updates. Each release must be tagged with timestamps, approvers, and related change tickets, ensuring end-to-end traceability. Rollback plans should be tested regularly so that any deployment can be reversed with minimal disruption. Artifact retention—storing prior builds, configurations, and scripts—enables forensic reconstruction if issues arise later. Version discipline turns the SDLC into a continuous yet recoverable cycle, where innovation and assurance coexist without friction.
Coordinating change windows ensures predictability and communication. Maintenance schedules and blackout periods protect critical business operations, while customers and internal teams must receive timely notification of planned downtime or risk. Coordination extends to vendors and subservice providers whose maintenance activities could affect shared infrastructure. Exceptions or overrides require explicit approval, ensuring all parties remain informed and aligned. Documented communication plans, including escalation contacts, create transparency and minimize confusion during deployments. Well-orchestrated change windows preserve trust by demonstrating control, readiness, and respect for service continuity.
Auditors expect rigorous evidence and documentation to verify CC8 compliance. This includes change tickets showing submission, review, and approval dates; code review logs with linked pull requests; and test results stored with validation reports. Configuration diffs document exactly what was altered, while deployment logs show execution steps and outcomes. Collectively, these records demonstrate that changes were not only approved but executed according to procedure. Maintaining evidence in centralized, immutable repositories simplifies audits and reinforces confidence that processes function as intended.
Integration between change management and incident response ensures that unplanned alterations are treated as potential indicators of compromise or control failure. Unauthorized or undocumented changes must automatically trigger incident investigations. Operations and development teams must coordinate during major incidents, with rollback decisions authorized by incident commanders or CAB representatives. Linking change and incident records allows correlation of failures to root causes—patches, updates, or code deployments—helping identify systemic weaknesses. This integration prevents silos and ensures that both reactive and proactive controls support the same objective: resilience.
Measuring change metrics and health provides insight into program performance. Metrics such as mean time to deploy (MTTD), change success rate, rollback frequency, and proportion of emergency versus planned changes reveal efficiency and stability trends. A consistently high success rate with few rollbacks signals process maturity, while excessive emergency changes suggest planning gaps. Dashboards displaying these metrics guide leadership discussions on resourcing, automation, and risk prioritization. In SOC 2, numbers tell the story: metrics transform change management from a procedural checklist into a performance-driven discipline.
The maturity progression for CC8 moves from manual, ticket-based change tracking to fully automated, integrated workflows. Early programs rely on spreadsheets and emails to coordinate releases. Mature environments integrate change management tools directly into CI/CD pipelines, automatically linking approvals, test results, and risk scans. Advanced organizations achieve declarative governance, where IaC enforces compliance and drift detection occurs in real time. The most mature state features closed-loop monitoring, predictive metrics, and automated rollback triggers. Each stage enhances control reliability while accelerating delivery, proving that governance and agility are not opposites—they are partners in operational excellence.
True effectiveness under CC8 requires cross-team collaboration. Development, security, operations, and compliance teams must share visibility into upcoming releases, readiness assessments, and risk ratings. Regular “change readiness” meetings promote transparency, while shared channels keep communication open during deployments. Leadership involvement in reviewing post-release outcomes reinforces accountability and celebrates successes, not just exceptions. Collaboration ensures that change control evolves with the organization, enabling rapid innovation under a framework of shared trust and collective ownership.
