Navigate

CM-5(5)

CM-5(5): Limit Production / Operational Privileges

The organization:

(a): Limits privileges to change information system components and system-related information within a production or operational environment; and

(b): Reviews and reevaluates privileges [one of ].

Supplemental

In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers.

CIA Levels
Confidentiality	unknown
Integrity	low
Availability	unknown

Overlays
Classified, Cross Domain (Access), Cross Domain (Multilevel), Cross Domain (Transfer), Int-A, Int-B, Int-C

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to CM-5(5).

Control	Description
AC-2	The organization: a: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [one of ]; b: Assigns account managers for information system accounts; c: Establishes conditions for group and role membership; d: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e: Requires approvals by [one of ] for requests to create information system accounts; f: Creates, enables, modifies, disables, and removes information system accounts in accordance with [one of ]; g: Monitors the use of information system accounts; h: Notifies account managers: 1: When accounts are no longer required; 2: When users are terminated or transferred; and 3: When individual information system usage or need-to-know changes; i: Authorizes access to the information system based on: 1: A valid access authorization; 2: Intended system usage; and 3: Other attributes as required by the organization or associated missions/business functions; j: Reviews accounts for compliance with account management requirements [one of ]; and k: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

Control

Description

AC-2

The organization:

a: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [one of ];

b: Assigns account managers for information system accounts;

c: Establishes conditions for group and role membership;

d: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;

e: Requires approvals by [one of ] for requests to create information system accounts;

f: Creates, enables, modifies, disables, and removes information system accounts in accordance with [one of ];

g: Monitors the use of information system accounts;

h: Notifies account managers:
- 1: When accounts are no longer required;
- 2: When users are terminated or transferred; and
- 3: When individual information system usage or need-to-know changes;

i: Authorizes access to the information system based on:
- 1: A valid access authorization;
- 2: Intended system usage; and
- 3: Other attributes as required by the organization or associated missions/business functions;

j: Reviews accounts for compliance with account management requirements [one of ]; and

k: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

Enhancements

The controls below (if any) add on to the requirements of CM-5(5).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-5(5).

CCI	Definition
CCI-001753	Limit privileges to change system components within a production or operational environment.
CCI-001754	Limit privileges to change system-related information within a production or operational environment.
CCI-001827	The organization defines the frequency with which to review information system privileges.
CCI-001828	The organization defines the frequency with which to reevaluate information system privileges.
CCI-001829	The organization reviews information system privileges per an organization-defined frequency.
CCI-001830	The organization reevaluates information system privileges per an organization-defined frequency.