Governance for cybersecurity architecture (such as an architecture review process) is established and maintained that includes provisions for periodic architectural reviews and an exceptions process
Context and Guidance: There is sufficient oversight of the cybersecurity architecture or equivalent cybersecurity architecture governance function to prevent architectural drift—the discrepancy between the documented architecture and the implemented architecture. For example, proposed changes to the architecture are subject to review and approval, and exceptions are approved with knowledge of the risks and consequences.
Related Practices • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: ARCHITECTURE-1d, ARCHITECTURE-1e.