CM-5(4): Dual Authorization

CSF v1.1 References:

Baselines:

(Not part of any baseline)

Next Version:

Control Statement

The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information].

Supplemental Guidance

Organizations employ dual authorization to ensure that any changes to selected information system components and information cannot occur unless two qualified individuals implement such changes. The two individuals possess sufficient skills/expertise to determine if the proposed changes are correct implementations of approved changes. Dual authorization may also be known as two-person control.