CM-5(5): Limit Production / Operational Privileges

Control Family:

Configuration Management

Parent Control:

CM-5: Access Restrictions For Change

Priority:

P1: Implement P1 security controls first.

CSF v1.1 References:

PR.IP-1

Threats Addressed:

Baselines:

(Not part of any baseline)

Next Version:

NIST Special Publication 800-53 Revision 5:
CM-5(5): Privilege Limitation for Production and Operation

Control Statement

The organization:

Limits privileges to change information system components and system-related information within a production or operational environment; and
Reviews and reevaluates privileges [Assignment: organization-defined frequency].

Supplemental Guidance

In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers.

Control Statement

Supplemental Guidance

Related Controls

Critical Security Controls Version 7.1