NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-5Access Restrictions for Change

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see [AC-3](#ac-3) and [PE-3](#pe-3) ), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

Practitioner Notes

This control restricts who can make changes to your system. Only authorized personnel should be able to modify configurations, install software, or change system settings.

Example 1: Use Active Directory security groups to restrict who has administrative access to servers, and require privileged access management (PAM) tools like CyberArk for elevated access.

Example 2: In Azure, use Role-Based Access Control (RBAC) to limit who can modify infrastructure settings, granting only the minimum permissions needed for each role.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency