>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

CM-5Access Restrictions for Change

IL4 Mod
IL4 High
IL5
IL6

>Control Description

Define, document, approve, and enforce physical and logical access restrictions associated with changes to the system.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals' privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).

>Programmatic Queries

Beta

Related Services

IAM
CodePipeline
Service Catalog

CLI Commands

Check IAM policies for deployment
aws iam list-policies --query 'Policies[?contains(PolicyName,`Deploy`) || contains(PolicyName,`Pipeline`)]'
List CodePipeline approvals
aws codepipeline list-action-executions --pipeline-name PIPELINE --filter 'pipelineExecutionId=EXEC_ID'
Check Service Catalog constraints
aws servicecatalog list-constraints-for-portfolio --portfolio-id PORTFOLIO_ID
List CodeCommit approval rules
aws codecommit get-approval-rule-template --approval-rule-template-name TEMPLATE_NAME
Open AWS ConsoleDocumentation

>Related Controls

AC-3
AC-5
AC-6
CM-9
PE-3
SC-28
SC-34
SC-37
SI-2
SI-10

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CM-5 (Access Restrictions For Change)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CM-5?
  • How frequently is the CM-5 policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CM-5?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CM-5 requirements.
  • What automated tools, systems, or technologies are deployed to implement CM-5?
  • How is CM-5 integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CM-5 requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CM-5?
  • What audit logs, records, reports, or monitoring data validate CM-5 compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CM-5 effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CM-5 compliance?

Ask AI

Configure your API key to use AI features.