## Draft - Standard: EN 304 621 (Network Management Systems) - Draft version: - Section: \<TBD: Automation / orchestration / change attribution\> ## Problem / Observation Many NMS deployments execute automated changes (scripts, policies, orchestration). Without provenance (who/what/which policy) and deterministic attribution, audits cannot replay why a change occurred. ## Proposed change (exact text) Add: "For any configuration or policy change applied by the product, the product SHALL record provenance sufficient to attribute the change to an actor and context (e.g., user, automated workflow, policy/rule identifier, and triggering event reference). This provenance SHALL be recorded in audit logs and SHALL be retrievable for verification." ## Rationale - Enables audit replay and accountability for automated control planes. - Reduces ambiguity in incident investigations. ## Conformance impact - PASS if each change can be attributed to actor+context with retrievable references. - FAIL if automated changes cannot be deterministically attributed.