myctrl.tools
Compare

CM-5(4)Dual Authorization

>Control Description

Enforce dual authorization for implementing changes to organization-defined system components and system-level information.

>Cross-Framework Mappings

SCF

CHG-04.3
Compare

>Supplemental Guidance

Organizations employ dual authorization to help ensure that any changes to selected system components and information cannot occur unless two qualified individuals approve and implement such changes. The two individuals possess the skills and expertise to determine if the proposed changes are correct implementations of approved changes. The individuals are also accountable for the changes.

Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. System-level information includes operational procedures.

>Related Controls

AC-2
AC-5
CM-3

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of CM-5(4) (Dual Authorization)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring CM-5(4)?
  • How frequently is the CM-5(4) policy reviewed and updated, and what triggers policy changes?
  • What training or awareness programs ensure personnel understand their responsibilities related to CM-5(4)?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce CM-5(4) requirements.
  • What automated tools, systems, or technologies are deployed to implement CM-5(4)?
  • How is CM-5(4) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce CM-5(4) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of CM-5(4)?
  • What audit logs, records, reports, or monitoring data validate CM-5(4) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of CM-5(4) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate CM-5(4) compliance?

Ask AI

Configure your API key to use AI features.