Navigate

CM-5(5)

CM-5(5): Limit Production / Operational Privileges

The organization:

(a): Limits privileges to change information system components and system-related information within a production or operational environment; and

(b): Reviews and reevaluates privileges [organization-defined frequency].

Supplemental

In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers.

CIA Levels
Confidentiality	unknown
Integrity	high
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to CM-5(5).

Control	Description
AC-2	The organization: a: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [organization-defined information system account types]; b: Assigns account managers for information system accounts; c: Establishes conditions for group and role membership; d: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e: Requires approvals by [organization-defined personnel or roles] for requests to create information system accounts; f: Creates, enables, modifies, disables, and removes information system accounts in accordance with [organization-defined procedures or conditions]; g: Monitors the use of information system accounts; h: Notifies account managers: 1: When accounts are no longer required; 2: When users are terminated or transferred; and 3: When individual information system usage or need-to-know changes; i: Authorizes access to the information system based on: 1: A valid access authorization; 2: Intended system usage; and 3: Other attributes as required by the organization or associated missions/business functions; j: Reviews accounts for compliance with account management requirements [organization-defined frequency]; and k: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

Control

Description

AC-2

The organization:

a: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [organization-defined information system account types];

b: Assigns account managers for information system accounts;

c: Establishes conditions for group and role membership;

d: Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;

e: Requires approvals by [organization-defined personnel or roles] for requests to create information system accounts;

f: Creates, enables, modifies, disables, and removes information system accounts in accordance with [organization-defined procedures or conditions];

g: Monitors the use of information system accounts;

h: Notifies account managers:
- 1: When accounts are no longer required;
- 2: When users are terminated or transferred; and
- 3: When individual information system usage or need-to-know changes;

i: Authorizes access to the information system based on:
- 1: A valid access authorization;
- 2: Intended system usage; and
- 3: Other attributes as required by the organization or associated missions/business functions;

j: Reviews accounts for compliance with account management requirements [organization-defined frequency]; and

k: Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.

Enhancements

The controls below (if any) add on to the requirements of CM-5(5).

Control	Description
No controls

Related CCIs

The CCIs below are tied to CM-5(5).

CCI	Definition
CCI-001753	Limit privileges to change system components within a production or operational environment.
CCI-001754	Limit privileges to change system-related information within a production or operational environment.
CCI-001827	The organization defines the frequency with which to review information system privileges.
CCI-001828	The organization defines the frequency with which to reevaluate information system privileges.
CCI-001829	The organization reviews information system privileges per an organization-defined frequency.
CCI-001830	The organization reevaluates information system privileges per an organization-defined frequency.