Navigate

CM-5(1)

CM-5(1): Automated Access Enforcement / Auditing

The information system enforces access restrictions and supports auditing of the enforcement actions.

Supplemental

CIA Levels
Confidentiality	unknown
Integrity	high
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to CM-5(1).

Control	Description
AU-2	The organization: a: Determines that the information system is capable of auditing the following events: [organization-defined auditable events]; b: Coordinates the security audit function with other organizational entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events; c: Provides a rationale for why the auditable events are deemed to be adequate to support after-the-fact investigations of security incidents; and d: Determines that the following events are to be audited within the information system: [organization-defined audited events (the subset of the auditable events defined in AU-2 a.) along with the frequency of (or situation requiring) auditing for each identified event].
AU-6	The organization: a: Reviews and analyzes information system audit records [organization-defined frequency] for indications of [organization-defined inappropriate or unusual activity]; and b: Reports findings to [organization-defined personnel or roles].
AU-12	The information system: a: Provides audit record generation capability for the auditable events defined in AU-2 a. at [organization-defined information system components]; b: Allows [organization-defined personnel or roles] to select which auditable events are to be audited by specific components of the information system; and c: Generates audit records for the events defined in AU-2 d. with the content defined in AU-3.
CM-3	The organization: a: Determines the types of changes to the information system that are configuration-controlled; b: Reviews proposed configuration-controlled changes to the information system and approves or disapproves such changes with explicit consideration for security impact analyses; c: Documents configuration change decisions associated with the information system; d: Implements approved configuration-controlled changes to the information system; e: Retains records of configuration-controlled changes to the information system for [organization-defined time period]; f: Audits and reviews activities associated with configuration-controlled changes to the information system; and g: Coordinates and provides oversight for configuration change control activities through [organization-defined configuration change control element (e.g., committee, board)] that convenes [one or more of {{ insert: param, cm-3_prm_4 }} / {{ insert: param, cm-3_prm_5 }} ].
CM-6	The organization: a: Establishes and documents configuration settings for information technology products employed within the information system using [organization-defined security configuration checklists] that reflect the most restrictive mode consistent with operational requirements; b: Implements the configuration settings; c: Identifies, documents, and approves any deviations from established configuration settings for [organization-defined information system components] based on [organization-defined operational requirements]; and d: Monitors and controls changes to the configuration settings in accordance with organizational policies and procedures.

Enhancements

The controls below (if any) add on to the requirements of CM-5(1).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-5(1).

CCI	Definition
CCI-001813	Enforce access restrictions using organization-defined mechanisms.
CCI-001814	The Information system supports auditing of the enforcement actions.