>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.4.5Configuration Management - Derived

Derived Requirement

>Control Description

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

>Discussion

Any changes to the hardware, software, or firmware components of systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes, including upgrades and modifications. Access restrictions for change also include software libraries.

Access restrictions include physical and logical access control requirements, workflow automation, media libraries, abstract layers (e.g., changes implemented into external interfaces rather than directly into systems), and change windows (e.g., changes occur only during certain specified times). In addition to security concerns, commonly-accepted due diligence for configuration management includes access restrictions as an essential part in ensuring the ability to effectively manage the configuration. [SP 800-128] provides guidance on configuration change control.

>Cross-Framework Mappings

CMMC

CM.L2-3.4.5
Compare

SCF

CHG-04
Compare
TDA-08
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern access restrictions for configuration change?
  • Who is authorized to make configuration changes?
  • What approval workflows control privileged configuration access?
  • How are configuration change privileges reviewed and audited?
  • What procedures prevent unauthorized configuration modifications?

Technical Implementation:

  • What technical controls restrict configuration change access?
  • How do you enforce least privilege for configuration management?
  • What role-based access controls govern configuration systems?
  • How are configuration change privileges monitored and logged?
  • What mechanisms prevent unauthorized configuration access?

Evidence & Documentation:

  • Can you provide access control lists for configuration systems?
  • What logs show configuration change attempts and authorizations?
  • Can you demonstrate restricted access to configuration tools?
  • What evidence proves only authorized personnel make changes?
  • What audit reports verify configuration access restrictions?

Ask AI

Configure your API key to use AI features.