home || catalog: SP800-53rev3 / class: Operational / family: (CM) Configuration Management ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM

CM-01
CM-02
CM-03
CM-04
CM-05 *
CM-06
CM-07
CM-08
CM-09

CP
IA
IR
MA
MP
PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  CM-05: Access Restrictions for Change  

base control objective:
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

supplemental objective information:
Any changes to the hardware, software, and/or firmware components of the information system can potentially have significant effects on the overall security of the system. Accordingly, only qualified and authorized individuals are allowed to obtain access to information system components for purposes of initiating changes, including upgrades and modifications. Additionally, maintaining records of access is essential for ensuring that configuration change control is being implemented as intended and for supporting after the fact actions should the organization become aware of an unauthorized change to the information system. Access restrictions for change also include software libraries. Examples of access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes are implemented into a third-party interface rather than directly into the information system component), and change windows (e.g., changes occur only during specified times making unauthorized changes outside the window, easy to discover). Some or all of the enforcement mechanisms and processes necessary to implement this security control are included in other controls. For measures implemented in other controls, this control provides information to be used in the implementation of the other controls to cover specific needs related to enforcing authorizations to make changes to the information system, auditing changes, and retaining and review records of changes.

enhancements to the base objective:

(1) The organization employs automated mechanisms to enforce access restrictions and support auditing of the enforcement actions.

(2) The organization conducts audits of information system changes at [Assignment: organization-defined frequency] and when indications so warrant to determine whether unauthorized changes have occurred.

(3) The information system prevents the installation of [Assignment: organization-defined critical software programs] that are not signed with an organizationally recognized and approved certificate.
Enhancement Supplemental Guidance: Critical software programs and/or modules include, for example, device drivers, patches, and service packs.

(4) The organization enforces a two-person rule for changes to [Assignment: organization-defined information system components and system-level information].

(5) The organization:
(a) Limits information system developer/integrator privileges to change hardware, software, and firmware components and system information directly within a production environment; and
(b) Reviews and reevaluates information system developer/integrator privileges [Assignment: organization-defined frequency].

(6) The organization protects software libraries (including privileged programs) from the introduction of unauthorized or malicious code.

(7) The information system automatically implements [Assignment: organization-defined safeguards and countermeasures] if security functions (or mechanisms) are changed inappropriately.
Enhancement Supplemental Guidance: The information system reacts automatically when inappropriate and/or unauthorized modifications have occurred to security functions or mechanisms. Automatic implementation of safeguards and countermeasures includes, for example, reversing the change, halting the information system or triggering an audit alert when an unauthorized modification to a critical security file occurs.

mapping to FIPS199 baseline:

  LOW: null     MOD: base     HIGH: base (1) (2) (3)  

related (regimented) controls:

AC-03   Access Enforcement
AC-06   Least Privilege
PE-03   Physical Access Control

documents referenced in SP800-53rev3 for CM-05:

None.

Document Date Status Title

Search SP800-53rev3 catalog: