CM-05 Access Restrictions for Change

Baselines

Guidance

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3 ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

References 2

• FIPS 140-3 National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
• FIPS 186-4 National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4.

Control Enhancements 7

• CM-05(01) Automated Access Enforcement and Audit Records L M H P
• CM-05(02) Review System Changes
• CM-05(03) Signed Components
• CM-05(04) Dual Authorization L M H P
• CM-05(05) Privilege Limitation for Production and Operation L M H P
• CM-05(06) Limit Library Privileges L M H P
• CM-05(07) Automatic Implementation of Security Safeguards

Related controls 10

• AC-03 Access Enforcement L M H P
• AC-05 Separation of Duties L M H P
• AC-06 Least Privilege L M H P
• CM-09 Configuration Management Plan L M H P
• PE-03 Physical Access Control L M H P
• SC-28 Protection of Information at Rest L M H P
• SC-34 Non-modifiable Executable Programs L M H P
• SC-37 Out-of-band Channels L M H P
• SI-02 Flaw Remediation L M H P
• SI-10 Information Input Validation L M H P