NIST 800-53 REV 5 • SYSTEM AND SERVICES ACQUISITION
SA-8(11) — Inverse Modification Threshold
Implement the security design principle of inverse modification threshold in {{ insert: param, sa-08.11_odp }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
The principle of inverse modification threshold builds on the principle of trusted components and the principle of hierarchical trust and states that the degree of protection provided to a component is commensurate with its trustworthiness. As the trust placed in a component increases, the protection against unauthorized modification of the component also increases to the same degree. Protection from unauthorized modification can come in the form of the component’s own self-protection and innate trustworthiness, or it can come from the protections afforded to the component from other elements or attributes of the security architecture (to include protections in the environment of operation).
Practitioner Notes
Inverse modification threshold means that the more critical a component is, the harder it should be to modify. High-privilege changes should require more approvals, more oversight, and more verification than low-privilege changes.
Example 1: Implement tiered change control: changes to workstations require IT manager approval. Changes to servers require both IT manager and system owner approval. Changes to domain controllers or security infrastructure require CISO approval and a documented change advisory board review.
Example 2: In Azure, use Resource Locks on critical resources (domain controllers, key vaults, security appliances) to prevent accidental modification. Implement Azure PIM so that privileged changes require just-in-time approval with multi-person authorization for the most critical resources.