1. Home
  2. FedRAMP
  3. CM-5

BRACKETOLOGY | FEDRAMP

CM-5: ACCESS RESTRICTIONS FOR CHANGE

  • FedRAMP Baseline Membership CM-5:
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

SUPPLEMENTAL GUIDANCE

Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

RELATED CONTROLS: CM-5

CONTROL ENHANCEMENTS

CM-5 (1) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATED ACCESS ENFORCEMENT / AUDITING
  • FedRAMP Baseline Membership CM-5 (1):
  • MODERATE
  • HIGH

The information system enforces access restrictions and supports auditing of the enforcement actions.

Supplemental Guidance: NONE

RELATED CONTROLS: CM-5 (1)

CM-5 (2) ACCESS RESTRICTIONS FOR CHANGE | REVIEW SYSTEM CHANGES
  • FedRAMP Baseline Membership CM-5 (2):
  • HIGH

The organization reviews information system changes [Assignment: organization-defined frequency] and [Assignment: organization-defined circumstances] to determine whether unauthorized changes have occurred.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

There are no FedRAMP-specific requirements if this control is used for a MODERATE Impact system.

The organization reviews information system changes at least every thirty (30) days and organization-defined circumstances to determine whether unauthorized changes have occurred.


Supplemental Guidance:

Indications that warrant review of information system changes and the specific circumstances justifying such reviews may be obtained from activities carried out by organizations during the configuration change process.

RELATED CONTROLS: CM-5 (2)

CM-5 (3) ACCESS RESTRICTIONS FOR CHANGE | SIGNED COMPONENTS
  • FedRAMP Baseline Membership CM-5 (3):
  • MODERATE
  • HIGH

The information system prevents the installation of [Assignment: organization-defined software and firmware components] without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

The information system prevents the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

FedRAMP GUIDANCE:

If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be used.

The information system prevents the installation of organization-defined software and firmware components without verification that the component has been digitally signed using a certificate that is recognized and approved by the organization.

FedRAMP GUIDANCE:

If digital signatures/certificates are unavailable, alternative cryptographic integrity checks (hashes, self-signed certs, etc.) can be used.


Supplemental Guidance:

Software and firmware components prevented from installation unless signed with recognized and approved certificates include, for example, software and firmware version updates, patches, service packs, device drivers, and basic input output system (BIOS) updates. Organizations can identify applicable software and firmware components by type, by specific items, or a combination of both. Digital signatures and organizational verification of such signatures, is a method of code authentication.

RELATED CONTROLS: CM-5 (3)

CM-5 (4) ACCESS RESTRICTIONS FOR CHANGE | DUAL AUTHORIZATION

The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information].

Supplemental Guidance:

Organizations employ dual authorization to ensure that any changes to selected information system components and information cannot occur unless two qualified individuals implement such changes. The two individuals possess sufficient skills/expertise to determine if the proposed changes are correct implementations of approved changes. Dual authorization may also be known as two-person control.

RELATED CONTROLS: CM-5 (4)

CM-5 (5) ACCESS RESTRICTIONS FOR CHANGE | LIMIT PRODUCTION / OPERATIONAL PRIVILEGES
  • FedRAMP Baseline Membership CM-5 (5):
  • MODERATE
  • HIGH

The organization:

    • (a) Limits privileges to change information system components and system-related information within a production or operational environment; and
    • (b) Reviews and reevaluates privileges [Assignment: organization-defined frequency].

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a LOW Impact system.

  • (a) Limit privileges to change information system components and system-related information within a production or operational environment; and
  • (b) Review and reevaluate privileges at least quarterly.
  • (a) Limit privileges to change information system components and system-related information within a production or operational environment; and
  • (b) Review and reevaluate privileges at least quarterly.

Supplemental Guidance:

In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers.

RELATED CONTROLS: CM-5 (5)

CM-5 (6) ACCESS RESTRICTIONS FOR CHANGE | LIMIT LIBRARY PRIVILEGES

The organization limits privileges to change software resident within software libraries.

Supplemental Guidance:

Software libraries include privileged programs.

RELATED CONTROLS: CM-5 (6)

CM-5 (7) ACCESS RESTRICTIONS FOR CHANGE | AUTOMATIC IMPLEMENTATION OF SECURITY SAFEGUARDS

[Withdrawn: Incorporated into SI-7].

REFERENCES:

  • NO REFERENCES