Navigate

CM-5(1)

CM-5(1): Automated Access Enforcement and Audit Records

(a): Enforce access restrictions using [mechanisms used to automate the enforcement of access restrictions are defined;] ; and

(b): Automatically generate audit records of the enforcement actions.

Supplemental

Organizations log system accesses associated with applying configuration changes to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes.

CIA Levels
Confidentiality	unknown
Integrity	moderate
Availability	unknown

Overlays
DAF Baseline

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to CM-5(1).

Control	Description
AU-2	a: Identify the types of events that the system is capable of logging in support of the audit function: [the event types that the system is capable of logging in support of the audit function are defined;]; b: Coordinate the event logging function with other organizational entities requiring audit-related information to guide and inform the selection criteria for events to be logged; c: Specify the following event types for logging within the system: [one of ]; d: Provide a rationale for why the event types selected for logging are deemed to be adequate to support after-the-fact investigations of incidents; and e: Review and update the event types selected for logging [the frequency of event types selected for logging are reviewed and updated;].
AU-6	a: Review and analyze system audit records [frequency at which system audit records are reviewed and analyzed is defined;] for indications of [inappropriate or unusual activity is defined;] and the potential impact of the inappropriate or unusual activity; b: Report findings to [personnel or roles to receive findings from reviews and analyses of system records is/are defined;] ; and c: Adjust the level of audit record review, analysis, and reporting within the system when there is a change in risk based on law enforcement information, intelligence information, or other credible sources of information.
AU-7	Provide and implement an audit record reduction and report generation capability that: a: Supports on-demand audit record review, analysis, and reporting requirements and after-the-fact investigations of incidents; and b: Does not alter the original content or time ordering of audit records.
AU-12	a: Provide audit record generation capability for the event types the system is capable of auditing as defined in [AU-2a](#au-2_smt.a) on [system components that provide an audit record generation capability for the events types (defined in AU-02_ODP[02]) are defined;]; b: Allow [personnel or roles allowed to select the event types that are to be logged by specific components of the system is/are defined;] to select the event types that are to be logged by specific components of the system; and c: Generate audit records for the event types defined in [AU-2c](#au-2_smt.c) that include the audit record content defined in [AU-3](#au-3).
CM-6	a: Establish and document configuration settings for components employed within the system that reflect the most restrictive mode consistent with operational requirements using [common secure configurations to establish and document configuration settings for components employed within the system are defined;]; b: Implement the configuration settings; c: Identify, document, and approve any deviations from established configuration settings for [system components for which approval of deviations is needed are defined;] based on [operational requirements necessitating approval of deviations are defined;] ; and d: Monitor and control changes to the configuration settings in accordance with organizational policies and procedures.
CM-11	a: Establish [policies governing the installation of software by users are defined;] governing the installation of software by users; b: Enforce software installation policies through the following methods: [methods used to enforce software installation policies are defined;] ; and c: Monitor policy compliance [frequency with which to monitor compliance is defined;].
SI-12	Manage and retain information within the system and information output from the system in accordance with applicable laws, executive orders, directives, regulations, policies, standards, guidelines and operational requirements.

Enhancements

The controls below (if any) add on to the requirements of CM-5(1).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-5(1).

CCI	Definition
CCI-001813	Enforce access restrictions using organization-defined mechanisms.
CCI-003937	Defines the automated mechanisms to enforce access restrictions.
CCI-003938	Automatically generate audit records of the enforcement actions.