NIST 800-53 REV 5 • CONFIGURATION MANAGEMENT

CM-5(5)Privilege Limitation for Production and Operation

Limit privileges to change system components and system-related information within a production or operational environment; and Review and reevaluate privileges {{ insert: param, cm-5.5_prm_1 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

In many organizations, systems support multiple mission and business functions. Limiting privileges to change system components with respect to operational systems is necessary because changes to a system component may have far-reaching effects on mission and business processes supported by the system. The relationships between systems and mission/business processes are, in some cases, unknown to developers. System-related information includes operational procedures.

Practitioner Notes

This enhancement limits the privileges of personnel who work on production and operational systems — developers should not have unrestricted access to production.

Example 1: Implement separate Active Directory accounts for system administrators — a standard user account for daily work and a separate admin account used only for production changes, managed through CyberArk or Azure PIM.

Example 2: In your CI/CD pipeline, ensure developers can deploy to test environments but only designated operations staff can deploy to production using Azure DevOps environment gates.

More Configuration Management Controls

CM-1 Policy and Procedures CM-2 Baseline Configuration CM-2(1) Reviews and Updates CM-2(2) Automation Support for Accuracy and Currency