CM-5(1)—Access Restrictions for Change | Automated Access Enforcement and Audit Records

IL4 Mod

IL4 High

IL5

IL6

>Control Description

(a) Enforce access restrictions using ⚙organization-defined automated mechanisms; and (b) Automatically generate audit records of the enforcement actions.

>DoD Impact Level Requirements

No specific parameter values or requirements for this impact level.

>Discussion

Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes.

>Related Controls

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

•What formal policies and procedures govern the implementation of CM-5(1) (Automated Access Enforcement And Audit Records)?
•Who are the designated roles responsible for implementing, maintaining, and monitoring CM-5(1)?
•How frequently is the CM-5(1) policy reviewed and updated, and what triggers policy changes?
•What training or awareness programs ensure personnel understand their responsibilities related to CM-5(1)?

Technical Implementation:

•Describe the specific technical mechanisms or controls used to enforce CM-5(1) requirements.
•What automated tools, systems, or technologies are deployed to implement CM-5(1)?
•How is CM-5(1) integrated into your system architecture and overall security posture?
•What configuration settings, parameters, or technical specifications enforce CM-5(1) requirements?

Evidence & Documentation:

•What documentation demonstrates the complete implementation of CM-5(1)?
•What audit logs, records, reports, or monitoring data validate CM-5(1) compliance?
•Can you provide evidence of periodic reviews, assessments, or testing of CM-5(1) effectiveness?
•What artifacts would you present during a FedRAMP assessment to demonstrate CM-5(1) compliance?

Ask AI

Configure your API key to use AI features.