CM-5

  • Requirement

    Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

  • Discussion

    Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals' privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

More Info

  • Title

    Access Restrictions for Change
  • Family

    Configuration Management
  • NIST 800-53B Baseline(s)

    • Low
    • Moderate
    • High
  • Related NIST 800-53 ID

    AC-3;AC-5;AC-6;CM-9;PE-3;SC-28;SC-34;SC-37;SI-2;SI-10

NIST 800-53A Assessment Guidance

CMMC Training

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!