NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-5(4)Dual Authorization

Enforce dual authorization for implementing changes to {{ insert: param, cm-5.4_prm_1 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Organizations employ dual authorization to help ensure that any changes to selected system components and information cannot occur unless two qualified individuals approve and implement such changes. The two individuals possess the skills and expertise to determine if the proposed changes are correct implementations of approved changes. The individuals are also accountable for the changes. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. System-level information includes operational procedures.

Practitioner Notes

This enhancement requires two authorized individuals to approve changes to critical system components — no single person can make high-impact changes alone.

Example 1: Configure your GitHub repository to require at least two approving reviewers on pull requests before code can be merged into the production branch.

Example 2: Require two authorized administrators to independently approve and execute firewall rule changes on your Palo Alto or Cisco ASA firewalls for critical rules.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency