CM-5: Access Restrictions For Change

CSF v1.1 References:

PF v1.0 References:

Threats Addressed:


Next Version:

Control Statement

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

Supplemental Guidance

Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

Control Enhancements

CM-5(2): Review System Changes


  • High

The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.

CM-5(3): Signed Components


  • High

The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

CM-5(4): Dual Authorization


(Not part of any baseline)

The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information].

CM-5(5): Limit Production / Operational Privileges


(Not part of any baseline)

The organization: Limits privileges to change information system components and system-related information within a production or operational environment; and Reviews and reevaluates privileges [Assignment: organization-defined frequency].