CMMC Practice CM.L2-3.4.5

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

Bold Coast Security Guidance

Change management includes identifying who is permitted to perform actual systems changes, which requires defining logical access requirements for personnel with change authorization. What also matter is when changes are permitted to be performed, and where those changes will be performed from. Having defined change-windows means you understand the possible security implications of making changes. One of those is system disruption, or, the loss of system availability. That's why it's important to know when each week there is the least chance of disrupting productivity, and setting change windows accordingly. Physical access also matters, so you'll need to ensure that personnel with change management responsibilities have the physical access they require to perform identified changes during those change windows. This can mean configuration of a centrally managed card-key or code-key system, or issuing keys to facilities, as needed. These access requirements should be associated with individual staff files, as well as any central facilities access management system. This becomes critical when an employee's relationship with your organization is terminated for any reason. You're going to want to have a quick reference for all the logical and physical access that employee had, to disable it in a timely manner.
Security Catapult

Be prepared for CMMC

Our Q&A assessment tool is designed by security advisors for MSPs and DoD contractors of all sizes.

Try now for free

Understand your gaps
Security Catapult

Understand your gaps

See compliance gaps, compliance scores and proactive security tasks in a single interface.

Try now for free

Validate NIST SP 800-171
Security Catapult

Validate NIST SP 800-171

Based on your CMMC answers, we let you know where you stand on NIST.

Try now for free

Build a plan of action
Security Catapult

Build a plan of action

Track your burn down and stay on top of security needs.

Try now for free

Build your policy
Security Catapult

Build your policy

Say goodbye to maintaining a security policy. We do it for you.

Try now for free

Discussion From Source

DRAFT NIST SP 800-171 R2 Any changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes, including upgrades and modifications. Access restrictions for change also include software libraries. Access restrictions include physical and logical access control requirements, workflow automation, media libraries, abstract layers (e.g., changes implemented into external interfaces rather than directly into systems), and change windows (e.g., changes occur only during certain specified times). In addition to security concerns, commonly-accepted due diligence for configuration management includes access restrictions as an essential part in ensuring the ability to effectively manage the configuration.

References