CMMC Practice CM.3.067

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.


CMMC Version 1.02, pg. 119

Bold Coast Security Guidance

You must demonstrate that a configuration management practice is well-managed. Managed means there is a plan to achieve what policy requires, reporting to stakeholders and measurement of effectiveness of the practice as designed. In this case your management plan must include the steps you will take to ensure change windows are in place, and that IT Department staff performing change have the physical and logical access required to complete approved changes. Change management includes identifying who is permitted to perform actual systems changes, which requires defining logical access requirements for personnel with change authorization. What also matter is when changes are permitted to be performed, and where those changes will be performed from. Having defined change-windows means you understand the possible security implications of making changes. One of those is system disruption, or, the loss of system availability. That's why it's important to know when each week there is the least chance of disrupting productivity, and setting change windows accordingly. Physical access also matters, so you'll need to ensure that personnel with change management responsibilities have the physical access they require to perform identified changes during those change windows. This can mean configuration of a centrally managed card-key or code-key system, or issuing keys to facilities, as needed. These access requirements should be associated with individual staff files, as well as any central facilities access management system. This becomes critical when an employee's relationship with your organization is terminated for any reason. You're going to want to have a quick reference for all the logical and physical access that employee had, to disable it in a timely manner.

Discussion From Source

DRAFT NIST SP 800-171 R2 Any changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes, including upgrades and modifications. Access restrictions for change also include software libraries. Access restrictions include physical and logical access control requirements, workflow automation, media libraries, abstract layers (e.g., changes implemented into external interfaces rather than directly into systems), and change windows (e.g., changes occur only during certain specified times). In addition to security concerns, commonly-accepted due diligence for configuration management includes access restrictions as an essential part in ensuring the ability to effectively manage the configuration.