CM-05 · Access Restrictions for Change

Control Description

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

Impact Baselines
Security baselines where this control applies
Not in any baseline
Control Properties
SP800-53
organization
Control Statement
The control requirements

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

Supplemental Guidance

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

Related NIST Controls
Other NIST 800-53 controls related to this one
AC-03
AC-05
AC-06
CM-09
PE-03
SC-28
SC-34
SC-37
SI-02
SI-10
References
National Institute of Standards and Technology (2019) Security Requirements for Cryptographic Modules. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 140-3.
National Institute of Standards and Technology (2013) Digital Signature Standard (DSS). (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 186-4.