CM-5

Configuration ManagementRev 5organization

Access Restrictions for Change

Baselines:LowModerateHigh

Control Statement

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

Supplemental Guidance

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

Related Controls (10)

AC-3 AC-5 AC-6 CM-9 PE-3 SC-28 SC-34 SC-37 SI-2 SI-10

CCI Identifiers (10)

CCI-000338The organization defines physical access restrictions associated with changes to the information system.CCI-000339The organization documents physical access restrictions associated with changes to the information system.CCI-000340Approve physical access restrictions associated with changes to the system.CCI-000341Enforce physical access restrictions associated with changes to the system.CCI-000342The organization defines logical access restrictions associated with changes to the information system.CCI-000343The organization documents logical access restrictions associated with changes to the information system.CCI-003935Define and document physical access restrictions associated with changes to the system.CCI-003936Define and document logical access restrictions associated with changes to the system.

Linked STIG Checks (20)

Across 20 STIGs. Click to expand.