CCI-000354

Implementation Guidance

Determine if: - dual authorization for implementing changes to [CM-05(04)_ODP[01]; system components requiring dual authorization for changes are defined] is enforced. - dual authorization for implementing changes to [CM-05(04)_ODP[02]; system-level information requiring dual authorization for changes is defined] is enforced.

Validation Procedures

Examine: [SELECT FROM: Configuration management policy; procedures addressing access restrictions for changes to the system; configuration management plan; system design documentation; system architecture and configuration documentation; system configuration settings and associated documentation; change control records; system audit records; system component inventory; system information types information; system security plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with dual authorization enforcement responsibilities for implementing system changes; organizational personnel with information security responsibilities; system/network administrators]. Test: [SELECT FROM: Organizational processes for managing access restrictions to change; mechanisms implementing dual authorization enforcement].