CM-5(1)

Requirement
1. Enforce access restrictions using [Assignment: organization-defined automated mechanisms]; and
2. Automatically generate audit records of the enforcement actions.

Discussion

Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes.

Title

Access Restrictions for Change | Automated Access Enforcement and Audit Records
Family

Configuration Management
NIST 800-53B Baseline(s)
- High

NIST 800-53A Assessment Guidance

Examine

[SELECT FROM: Configuration management policy; procedures addressing access restrictions for changes to the system; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; change control records; system audit records; system security plan; other relevant documents or records].

Interview

[SELECT FROM: Organizational personnel with logical access control responsibilities; organizational personnel with physical access control responsibilities; organizational personnel with information security responsibilities; system/network administrators].

Test

[SELECT FROM: Organizational processes for managing access restrictions to change; automated mechanisms implementing the enforcement of access restrictions for changes to the system; automated mechanisms supporting auditing of enforcement actions].

ID	Assessment Objectives
CM-05(01)(a)	access restrictions for change are enforced using <CM-05(01)_ODP automated mechanisms>;
CM-05(01)(b)	audit records of enforcement actions are automatically generated.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!