CMMC 2.0 • LEVEL 2 • CONFIGURATION MANAGEMENT

CM.L2-3.4.5Access Restrictions for Change

Changes to the hardware, software, or firmware components of the system or the operational procedures related to the system can have potentially significant effects on the security of the system. Therefore, organizations permit only qualified and authorized individuals to access the system for the purpose of initiating changes. Access restrictions include physical and logical access controls, software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into the system), and change windows (i.e., changes occur only during specified times).

NIST 800-171 Mapping

NIST 800-53 Controls

CM-5

Assessment Objectives

  • physical access restrictions associated with changes to the system are defined and documented.
  • physical access restrictions associated with changes to the system are approved.
  • physical access restrictions associated with changes to the system are enforced.
  • logical access restrictions associated with changes to the system are defined and documented.
  • logical access restrictions associated with changes to the system are approved.
  • logical access restrictions associated with changes to the system are enforced.

Practitioner Notes

Practitioner commentary coming soon.

Related CMMC 2.0 Practices

CM.L1-3.4.1 Baseline Configuration CM.L1-3.4.2 Configuration Settings CM.L2-3.4.3 Configuration Change Control CM.L2-3.4.4 Impact Analyses