CM-5 (5) Access Restrictions For Change | Limit Production / Operational Privileges
The organization:
CM-5 (5)(a): Limits privileges to change information system components and system-related information within a production or operational environment; and
CM-5 (5)(b): Reviews and reevaluates privileges [Assignment: organization-defined frequency].
Applicable CNSSI 1253 Baselines
Confidentiality
- L
- M
- H
Integrity
- L
- M
- H
Availability
- L
- M
- H
Supplemental Guidance
In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers.