CHG-04.3: Dual Authorization for Change
Mechanisms exist to enforce a two-person rule for implementing changes to critical Technology Assets, Applications and/or Services (TAAS).
Control Question: Does the organization enforce a two-person rule for implementing changes to critical Technology Assets, Applications and/or Services (TAAS)?
General (16)
| Framework | Mapping Values |
|---|---|
| GovRAMP Low+ | AC-05 |
| GovRAMP Moderate | AC-05 |
| GovRAMP High | AC-05 |
| NIST 800-53 R4 | AC-5 CM-5(4) |
| NIST 800-53 R4 (moderate) | AC-5 |
| NIST 800-53 R4 (high) | AC-5 |
| NIST 800-53 R5 (source) | AC-5 CM-5(4) |
| NIST 800-53B R5 (moderate) (source) | AC-5 |
| NIST 800-53B R5 (high) (source) | AC-5 |
| NIST 800-53 R5 (NOC) (source) | CM-5(4) |
| NIST 800-82 R3 MODERATE OT Overlay | AC-5 |
| NIST 800-82 R3 HIGH OT Overlay | AC-5 |
| NIST 800-161 R1 | AC-5 |
| NIST 800-161 R1 Flow Down | AC-5 |
| NIST 800-161 R1 Level 2 | AC-5 |
| NIST 800-161 R1 Level 3 | AC-5 |
US (12)
| Framework | Mapping Values |
|---|---|
| US CERT RMM 1.2 | AM:SG1.SP1 ID:SG1.SP1 ID:SG1.SP2 ID:SG1.SP3 |
| US CJIS Security Policy 5.9.3 (source) | AC-5 |
| US CMS MARS-E 2.0 | AC-5 |
| US FedRAMP R4 | AC-5 |
| US FedRAMP R4 (moderate) | AC-5 |
| US FedRAMP R4 (high) | AC-5 |
| US FedRAMP R5 (source) | AC-5 |
| US FedRAMP R5 (moderate) (source) | AC-5 |
| US FedRAMP R5 (high) (source) | AC-5 |
| US IRS 1075 | AC-5 |
| US NISPOM 2020 | 8-611 |
| US - TX DIR Control Standards 2.0 | AC-5 |
EMEA (1)
| Framework | Mapping Values |
|---|---|
| EMEA Saudi Arabia OTCC-1 2022 | 2-2-1-6 |
Capability Maturity Model
Level 0 — Not Performed
There is no evidence of a capability to enforce a two-pers on rule for implementing changes to critical Technology Assets, Applications and/or Services (TAAS).
Level 1 — Performed Informally
C|P-CMM1 is N/A, since a structured process is required to enforce a two-pers on rule for implementing changes to critical Technology Assets, Applications and/or Services (TAAS).
Level 2 — Planned & Tracked
C|P-CMM2 is N/A, since a well-defined process is required to enforce a two-pers on rule for implementing changes to critical Technology Assets, Applications and/or Services (TAAS).
Level 3 — Well Defined
Change Management (CHG) efforts are standardized across the organization and centrally managed, where technically feasible, to ensure consistency. CMM Level 3 control maturity would reasonably expect all, or at least most, the following criteria to exist: o Exists to govern changes to systems, applications and services to ensure their stability, reliability and predictability. o Reviews RFC for cybersecurity and data privacy ramifications. o Notifies stakeholders to ensure awareness of the impact of proposed changes.
- An IT Asset Management (ITAM) function, or similar function, ensures compliance with requirements for asset management.
- ITAM leverages a Configuration Management Database (CMDB), or similar tool, as the authoritative source of IT assets.
- Logical Access Control (LAC) is governed to limit the ability of non-administrators from making configuration changes to systems, applications and services.
- A formal Change Management (CM) program ensures that no unauthorized changes are made, that all changes are documented, that services are not disrupted and that resources are used efficiently.
- The CM function has formally defined roles and associated responsibilities.
- Changes are tracked through a centralized technology solution to submit, review, approve and assign Requests for Change (RFC).
- A Change Advisory Board (CAB), or similar function:
- IT personnel use dedicated development/test/staging environments to deploy and evaluate changes, wherever technically possible.
- Critical systems are configured to use dual authorization mechanisms requiring the approval of two authorized individuals in order to execute a change.
Level 4 — Quantitatively Controlled
See C|P-CMM3. There are no defined C|P-CMM4 criteria, since it is reasonable to assume a quantitatively-controlled process is not necessary to enforce a two-pers on rule for implementing changes to critical Technology Assets, Applications and/or Services (TAAS).
Level 5 — Continuously Improving
See C|P-CMM4. There are no defined C|P-CMM5 criteria, since it is reasonable to assume a continuously-improving process is not necessary to enforce a two-pers on rule for implementing changes to critical Technology Assets, Applications and/or Services (TAAS).
Assessment Objectives
- CHG-04.3_A01 critical or sensitive system and organizational operations for which dual authorization is to be enforced are identified.
- CHG-04.3_A02 dual authorization is employed to execute critical or sensitive system and organizational operations.
Technology Recommendations
Micro/Small
- Logical Access Control (LAC)
- Physical Access Control (PAC)
- Role Based Access Control (RBAC)
- Separation of Duties (SoD)
Small
- Logical Access Control (LAC)
- Physical Access Control (PAC)
- Role Based Access Control (RBAC)
- Separation of Duties (SoD)
Medium
- Logical Access Control (LAC)
- Physical Access Control (PAC)
- Role Based Access Control (RBAC)
- Separation of Duties (SoD)
Large
- Logical Access Control (LAC)
- Physical Access Control (PAC)
- Role Based Access Control (RBAC)
- Separation of Duties (SoD)
Enterprise
- Logical Access Control (LAC)
- Physical Access Control (PAC)
- Role Based Access Control (RBAC)
- Separation of Duties (SoD)