Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.
NIST 800-53 (r4) Supplemental Guidance:
Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover). Related controls: AC-3, AC-6, PE-3.
References: None.
NIST 800-53 (r5) Discussion:
Changes to the hardware, software, or firmware components of systems or the operational procedures related to the system can potentially have significant effects on the security of the systems or individuals’ privacy. Therefore, organizations permit only qualified and authorized individuals to access systems for purposes of initiating changes. Access restrictions include physical and logical access controls (see AC-3 and PE-3), software libraries, workflow automation, media libraries, abstract layers (i.e., changes implemented into external interfaces rather than directly into systems), and change windows (i.e., changes occur only during specified times).
38North Guidance:
Meets Minimum Requirement:
Define, document, approve, and enforce logical access restrictions associated with changes to the information system when applicable. Logical access to the system must be restricted per AC-2 and AC-3 requirements. Role-based access privileges must provide the logical access restrictions associated with changes to the system.
Access to test environments must be restricted to only authorized personnel and roles. Only authorized individuals must be permitted access to information systems and data for purposes of testing changes.
Best Practice:
TBD
Unofficial FedRAMP Guidance:
TBD
Assessment Evidence:
System generated list of all accounts with access to non-production environments, to the source code for each application under review, and users with the ability to promote code to the production environment.
Evidence that measures are implemented to enforce logical access restrictions associated with changes to the information system.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse