CM-5: Access Restrictions for Change

physical access restrictions associated with changes to the system are defined and documented;

physical access restrictions associated with changes to the system are approved;

physical access restrictions associated with changes to the system are enforced;

logical access restrictions associated with changes to the system are defined and documented;

logical access restrictions associated with changes to the system are approved;

logical access restrictions associated with changes to the system are enforced.

Configuration management policy

procedures addressing access restrictions for changes to the system

configuration management plan

system design documentation

system architecture and configuration documentation

system configuration settings and associated documentation

logical access approvals

physical access approvals

access credentials

change control records

system audit records

system security plan

other relevant documents or records

Organizational personnel with logical access control responsibilities

organizational personnel with physical access control responsibilities

organizational personnel with information security responsibilities

system/network administrators

Organizational processes for managing access restrictions to change

mechanisms supporting, implementing, or enforcing access restrictions associated with changes to the system