Navigate

CM-5(5)

CM-5(5): Privilege Limitation for Production and Operation

(a): Limit privileges to change system components and system-related information within a production or operational environment; and

(b): Review and reevaluate privileges [one of ].

Supplemental

In many organizations, systems support multiple mission and business functions. Limiting privileges to change system components with respect to operational systems is necessary because changes to a system component may have far-reaching effects on mission and business processes supported by the system. The relationships between systems and mission/business processes are, in some cases, unknown to developers. System-related information includes operational procedures.

CIA Levels
Confidentiality	unknown
Integrity	low
Availability	unknown

Overlays
Classified, DAF Baseline, Int-A, Int-B, Int-C

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to CM-5(5).

Control	Description
AC-2	a: Define and document the types of accounts allowed and specifically prohibited for use within the system; b: Assign account managers; c: Require [prerequisites and criteria for group and role membership are defined;] for group and role membership; d: Specify: 1: Authorized users of the system; 2: Group and role membership; and 3: Access authorizations (i.e., privileges) and [attributes (as required) for each account are defined;] for each account; e: Require approvals by [personnel or roles required to approve requests to create accounts is/are defined;] for requests to create accounts; f: Create, enable, modify, disable, and remove accounts in accordance with [policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;]; g: Monitor the use of accounts; h: Notify account managers and [personnel or roles to be notified is/are defined;] within: 1: [time period within which to notify account managers when accounts are no longer required is defined;] when accounts are no longer required; 2: [time period within which to notify account managers when users are terminated or transferred is defined; ] when users are terminated or transferred; and 3: [time period within which to notify account managers when system usage or the need to know changes for an individual is defined;] when system usage or need-to-know changes for an individual; i: Authorize access to the system based on: 1: A valid access authorization; 2: Intended system usage; and 3: [attributes needed to authorize system access (as required) are defined;]; j: Review accounts for compliance with account management requirements [the frequency of account review is defined;]; k: Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and l: Align account management processes with personnel termination and transfer processes.

Control

Description

AC-2

a: Define and document the types of accounts allowed and specifically prohibited for use within the system;

b: Assign account managers;

c: Require [prerequisites and criteria for group and role membership are defined;] for group and role membership;

d: Specify:
- 1: Authorized users of the system;
- 2: Group and role membership; and
- 3: Access authorizations (i.e., privileges) and [attributes (as required) for each account are defined;] for each account;

e: Require approvals by [personnel or roles required to approve requests to create accounts is/are defined;] for requests to create accounts;

f: Create, enable, modify, disable, and remove accounts in accordance with [policy, procedures, prerequisites, and criteria for account creation, enabling, modification, disabling, and removal are defined;];

g: Monitor the use of accounts;

h: Notify account managers and [personnel or roles to be notified is/are defined;] within:
- 1: [time period within which to notify account managers when accounts are no longer required is defined;] when accounts are no longer required;
- 2: [time period within which to notify account managers when users are terminated or transferred is defined; ] when users are terminated or transferred; and
- 3: [time period within which to notify account managers when system usage or the need to know changes for an individual is defined;] when system usage or need-to-know changes for an individual;

i: Authorize access to the system based on:
- 1: A valid access authorization;
- 2: Intended system usage; and
- 3: [attributes needed to authorize system access (as required) are defined;];

j: Review accounts for compliance with account management requirements [the frequency of account review is defined;];

k: Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and

l: Align account management processes with personnel termination and transfer processes.

Enhancements

The controls below (if any) add on to the requirements of CM-5(5).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-5(5).

CCI	Definition
CCI-001753	Limit privileges to change system components within a production or operational environment.
CCI-001754	Limit privileges to change system-related information within a production or operational environment.
CCI-003939	Defines the frequency with which to review and reevaluate system privileges.
CCI-003940	Review and reevaluate system privileges per an organization-defined frequency.