Overview:
The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency].
Supplemental Guidance:
In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers.
Related control:AC-2.
Action Items:
1) Ensure only qualified personnel can implement changes
Related Documents:
1) Secure Systems Configuration Policy
2) Change Management Policy
3) Access Control Policy
Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
CM-5 (5) (b) [at least quarterly]
Moderate Additional FedRAMP Requirements and Guidance
none
Article ID: 651
Created: September 29, 2022
Last Updated: September 29, 2022
Author: Matthew Burdick
Online URL: http://www.compliancewiki.org/article/limit-production-and-operational-privileges-cm-5-5-651.html