NIST 800-171 • LEVEL 2 • CONFIGURATION MANAGEMENT

3.4.5Access Restrictions for Change

Changes to the hardware, software, or firmware components of the system or the operational procedures related to the system can have potentially significant effects on the security of the system. Therefore, organizations permit only qualified and authorized individuals to access the system for the purpose of initiating changes. Access restrictions include physical and logical access controls, software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into the system), and change windows (i.e., changes occur only during specified times).

CMMC Practice Mapping

NIST 800-53 Controls

CM-5

Assessment Objectives

  • physical access restrictions associated with changes to the system are defined and documented.
  • physical access restrictions associated with changes to the system are approved.
  • physical access restrictions associated with changes to the system are enforced.
  • logical access restrictions associated with changes to the system are defined and documented.
  • logical access restrictions associated with changes to the system are approved.
  • logical access restrictions associated with changes to the system are enforced.

Practitioner Notes

Only authorized people should be able to make changes to your systems. This means both physical restrictions (who can walk up to a server and plug something in) and logical restrictions (who has admin credentials to modify configurations).

If everyone can make changes, nobody is accountable — and you cannot trace what went wrong when something breaks.

Example 1: In Active Directory, restrict membership in privileged groups (Domain Admins, Enterprise Admins, Schema Admins) to only the personnel who genuinely need that access. Navigate to Active Directory Users and Computers > Builtin / Users and audit group membership quarterly. Use a GPO to enforce Restricted Groups under Computer Configuration > Windows Settings > Security Settings > Restricted Groups.

Example 2: For network infrastructure changes, configure role-based access control (RBAC) on your switches and routers. On Cisco IOS devices, use privilege exec level 7 to create a custom privilege level that allows monitoring but not configuration changes. Reserve level 15 for approved network administrators only and log all access via a TACACS+ server.

Related NIST 800-171 Requirements

3.4.1 Baseline Configuration 3.4.2 Configuration Settings 3.4.3 Configuration Change Control 3.4.4 Impact Analyses