HOME

CM-5 (5)

CM-5 (5) H M
Description

The organization:
(a) Limits privileges to change information system components and system-related information within a production or operational environment; and
(b) Reviews and reevaluates privileges [Assignment: organization-defined frequency].

FedRAMP
  • H CM-5 (5) (b) [at least quarterly]
  • M CM-5 (5) (b) [at least quarterly]
DISA Cloud Computing SRG

b. every 90 days

Source:
DoD RMF TAG

Supplemental Guidance

In many organizations, information systems support multiple core missions/business functions. Limiting privileges to change information system components with respect to operational systems is necessary because changes to a particular information system component may have far-reaching effects on mission/business processes supported by the system where the component resides. The complex, many-to-many relationships between systems and mission/business processes are in some cases, unknown to developers.

Related Controls