Organizational Control: Access Restrictions For Change
| Control ID: CM-5 Access Restrictions For Change | Family: Configuration Management | Source: NIST 800-53r4 |
| Control: The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system. | ||
| Supplemental Guidance: Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related Controls: AC-3, AC-6, PE-3 |
||
| Control Enhancements:
(1) Access Restrictions For Change | Automated Access Enforcement / Auditing The information system enforces access restrictions and supports auditing of the enforcement actions. Supplemental Guidance: Related Controls: AU-2, AU-6, AU-12, CM-3, CM-6 (2) Access Restrictions For Change | Review System Changes The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred. Supplemental Guidance: Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process. Related Controls: AU-6, AU-7, CM-3, CM-5, PE-6, PE-8 (3) Access Restrictions For Change | Signed Components The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization. Supplemental Guidance: Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication. Related Controls: CM-7, SC-13, SI-7 |
||
| References: N/A | ||
| Mechanisms:
|
||
| Protocol Implementation Conformance Statements: N/A | ||