Navigate

CM-5 (4)

CM-5 (4): Dual Authorization

The organization enforces dual authorization for implementing changes to [Assignment: organization-defined information system components and system-level information].

Supplemental

Organizations employ dual authorization to ensure that any changes to selected information system components and information cannot occur unless two qualified individuals implement such changes. The two individuals possess sufficient skills/expertise to determine if the proposed changes are correct implementations of approved changes. Dual authorization may also be known as two-person control.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
Cross Domain (Access), Cross Domain (Multilevel), Cross Domain (Transfer), Int-C

Related Controls

The controls below (if any) were marked by NIST as being related to CM-5 (4).

Control	Description
AC-5	The organization: AC-5a.: Separates [Assignment: organization-defined duties of individuals]; AC-5b.: Documents separation of duties of individuals; and AC-5c.: Defines information system access authorizations to support separation of duties.
CM-3	The organization: CM-3a.: Determines the types of changes to the information system that are configuration-controlled; CM-3b.: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; CM-3c.: Documents configuration change decisions associated with the information system; CM-3d.: Implements approved configuration-controlled changes to the information system; CM-3e.: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period]; CM-3f.: Audits and reviews activities associated with configuration-controlled changes to the information system; and CM-3g.: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].

Control

Description

AC-5

The organization:

AC-5a.: Separates [Assignment: organization-defined duties of individuals];

AC-5b.: Documents separation of duties of individuals; and

AC-5c.: Defines information system access authorizations to support separation of duties.

CM-3

The organization:

CM-3a.: Determines the types of changes to the information system that are configuration-controlled;

CM-3b.: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses;

CM-3c.: Documents configuration change decisions associated with the information system;

CM-3d.: Implements approved configuration-controlled changes to the information system;

CM-3e.: Retains records of configuration-controlled changes to the information system for [Assignment: organization-defined time period];

CM-3f.: Audits and reviews activities associated with configuration-controlled changes to the information system; and

CM-3g.: Coordinates and provides oversight for configuration change control activities through [Assignment: organization-defined configuration change control element (e.g., committee, board)] that convenes [Selection (one or more): [Assignment: organization-defined frequency]; [Assignment: organization-defined configuration change conditions]].

Enhancements

The controls below (if any) add on to the requirements of CM-5 (4).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-5 (4).

CCI	Definition
CCI-000353	The organization defines information system components requiring enforcement of a dual authorization for information system changes.
CCI-000354	The organization enforces dual authorization for changes to organization-defined information system components.
CCI-001751	The organization defines system-level information requiring enforcement of a dual authorization for information system changes.
CCI-001752	The organization enforces dual authorization for changes to organization-defined system-level information.