CMMC Practice CM.L2-3.4.5

Access Restrictions for Change: Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

Monarch ISC Guidance

Change management includes identifying who is permitted to perform actual systems changes, which requires defining logical access requirements for personnel with change authorization. What also matter is when changes are permitted to be performed, and where those changes will be performed from. Having defined change-windows means you understand the possible security implications of making changes. One of those is system disruption, or, the loss of system availability. That's why it's important to know when each week there is the least chance of disrupting productivity, and setting change windows accordingly. Physical access also matters, so you'll need to ensure that personnel with change management responsibilities have the physical access they require to perform identified changes during those change windows. This can mean configuration of a centrally managed card-key or code-key system, or issuing keys to facilities, as needed. These access requirements should be associated with individual staff files, as well as any central facilities access management system. This becomes critical when an employee's relationship with your organization is terminated for any reason. You're going to want to have a quick reference for all the logical and physical access that employee had, to disable it in a timely manner.

Discussion From Source

NIST SP 800-171 R2 Any changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes, including upgrades and modifications. Access restrictions for change also include software libraries. Access restrictions include physical and logical access control requirements, workflow automation, media libraries, abstract layers (e.g., changes implemented into external interfaces rather than directly into systems), and change windows (e.g., changes occur only during certain specified times). In addition to security concerns, commonly-accepted due diligence for configuration management includes access restrictions as an essential part in ensuring the ability to effectively manage the configuration. NIST SP 800-128 provides guidance on configuration change control.

References