How are you all handling OS upgrades and Significant Changes? Reading through the NIST 800-37 it states that OS upgrades are likely a trigger for a SCR. However, it then states that the org Security Impact Assessment should determine this change to be significant or not. If we are following STIG/SRG configuration requirements, I don't see how upgrading AL2 to AL2023, as an example, would require an SCR. Under RMF and previous DoD C&A framework we re-evaluated every OS upgrade, but that was because OS upgrades rarely happened.

I am planning on bringing this up with our 3PAO, but curious what others are doing around this.