Navigate

CM-5 (5)

CM-5 (5): Limit Production / Operational Privileges

The organization:

CM-5 (5)(a): Limits privileges to change information system components and system-related information within a production or operational environment; and

CM-5 (5)(b): Reviews and reevaluates privileges [Assignment: organization-defined frequency].

Supplemental

In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers.

CIA Levels
Confidentiality	unknown
Integrity	low
Availability	unknown

Overlays
Classified, Cross Domain (Access), Cross Domain (Multilevel), Cross Domain (Transfer), Int-A, Int-B, Int-C

Related Controls

The controls below (if any) were marked by NIST as being related to CM-5 (5).

Control	Description
AC-2	The organization: AC-2a.: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; AC-2b.: Assigns account managers for information system accounts; AC-2c.: Establishes conditions for group and role membership; AC-2d.: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; AC-2e.: Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; AC-2f.: Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; AC-2g.: Monitors the use of information system accounts; AC-2h.: Notifies account managers: AC-2h.1.: When accounts are no longer required; AC-2h.2.: When users are terminated or transferred; and AC-2h.3.: When individual information system usage or need-to-know changes; AC-2i.: Authorizes access to the information system based on: AC-2i.1.: A valid access authorization; AC-2i.2.: Intended system usage; and AC-2i.3.: Other attributes as required by the organization or associated missions/business functions; AC-2j.: Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and AC-2k.: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

Control

Description

AC-2

The organization:

AC-2a.: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types];

AC-2b.: Assigns account managers for information system accounts;

AC-2c.: Establishes conditions for group and role membership;

AC-2d.: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;

AC-2e.: Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts;

AC-2f.: Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions];

AC-2g.: Monitors the use of information system accounts;

AC-2h.: Notifies account managers:
- AC-2h.1.: When accounts are no longer required;
- AC-2h.2.: When users are terminated or transferred; and
- AC-2h.3.: When individual information system usage or need-to-know changes;

AC-2i.: Authorizes access to the information system based on:
- AC-2i.1.: A valid access authorization;
- AC-2i.2.: Intended system usage; and
- AC-2i.3.: Other attributes as required by the organization or associated missions/business functions;

AC-2j.: Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and

AC-2k.: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

Enhancements

The controls below (if any) add on to the requirements of CM-5 (5).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-5 (5).

CCI	Definition
CCI-001753	The organization limits privileges to change information system components within a production or operational environment.
CCI-001754	The organization limits privileges to change system-related information within a production or operational environment.
CCI-001827	The organization defines the frequency with which to review information system privileges.
CCI-001828	The organization defines the frequency with which to reevaluate information system privileges.
CCI-001829	The organization reviews information system privileges per an organization-defined frequency.
CCI-001830	The organization reevaluates information system privileges per an organization-defined frequency.