800-53|CM-5

Title

ACCESS RESTRICTIONS FOR CHANGE

Description

The organization defines, documents, approves, and enforces physical and logical access restrictions associated with changes to the information system.

Supplemental

Any changes to the hardware, software, and/or firmware components of information systems can potentially have significant effects on the overall security of the systems. Therefore, organizations permit only qualified and authorized individuals to access information systems for purposes of initiating changes, including upgrades and modifications. Organizations maintain records of access to ensure that configuration change control is implemented and to support after-the-fact actions should organizations discover any unauthorized changes. Access restrictions for change also include software libraries. Access restrictions include, for example, physical and logical access controls (see AC-3 and PE-3), workflow automation, media libraries, abstract layers (e.g., changes implemented into third-party interfaces rather than directly into information systems), and change windows (e.g., changes occur only during specified times, making unauthorized changes easy to discover).

Reference Item Details

Reference: NIST 800-53 - Security and Privacy Controls for Federal Information Systems and Organizations

Related: AC-3,AC-6,PE-3

Category: CONFIGURATION MANAGEMENT

Family: CONFIGURATION MANAGEMENT

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.1.2.1.11 Set 'Devices: Unsigned driver installation behavior' to 'Warn but allow installation'	Windows	CIS Windows 2003 DC v3.1.0
1.1.1.2.1.11 Set 'Devices: Unsigned driver installation behavior' to 'Warn but allow installation'	Windows	CIS Windows 2003 MS v3.1.0
1.1.1.4. Prevent Using Visual Basic for Applications: Level II Enabled	Windows	CIS MS Office 2007 v1.1.0 L2
1.1.3.7. Download of Training Practice Files: Level II Enabled	Windows	CIS MS Office 2007 v1.1.0 L2
1.1.4.3. Disable UI Extending from Documents: Level II Enabled	Windows	CIS MS Office 2007 v1.1.0 L2
1.1.5.1. Visual Basic for Applications for Office Applications: Level II Enabled	Windows	CIS MS Office 2007 v1.1.0 L2
1.1.12.1 Smart Tag Recognition: Level I is set to does not exist (not configured).	Windows	CIS MS Office 2007 v1.1.0 L1
1.2 Set permissions on local-settings.js	Unix	CIS Mozilla Firefox 38 ESR Linux L1 v1.0.0
1.2.3 Ensure gpgcheck is globally activated - CA that is recognized and approved by the organization.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.2.6 Ensure software packages have been digitally signed by a Certificate Authority (CA) - CA that is recognized and approved by the organization.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.3 Protect Firefox Binaries	Unix	CIS Mozilla Firefox 102 ESR Linux L1 v1.0.0
1.4 Set permissions on local-settings.js	Unix	CIS Mozilla Firefox 102 ESR Linux L1 v1.0.0
1.4 Set permissions on local-settings.js - Administrators	Windows	CIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
1.4 Set permissions on local-settings.js - Users	Windows	CIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
1.4 Set permissions on mozilla.cfg	Unix	CIS Mozilla Firefox 38 ESR Linux L1 v1.0.0
1.4.4 Ensure boot loader does not allow removable media	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.5 Protect Firefox Binaries	Unix	CIS Mozilla Firefox 38 ESR Linux L1 v1.0.0
1.5 Set permissions on mozilla.cfg	Unix	CIS Mozilla Firefox 102 ESR Linux L1 v1.0.0
1.5 Set permissions on mozilla.cfg - Administrators	Windows	CIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
1.5 Set permissions on mozilla.cfg - Users	Windows	CIS Mozilla Firefox 102 ESR Windows L1 v1.0.0
1.6.1.10 Ensure system device files are labeled - device_t	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
1.6.1.10 Ensure system device files are labeled - unlabeled_t	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
2.2.1.4 Required Certificate Authority: Not Configured	Windows	CIS MS Office 2007 v1.1.0 L1
2.2.1.4. Required Certificate Authority: Not Configured	Windows	CIS MS Office 2007 v1.1.0 L2
2.2.21 Ensure the TFTP server has not been installed - TFTP server package installed if not required for operational support.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
3.1010 - The rsyslog daemon must not accept log messages from other servers unless the server is being used for log aggregation.	Unix	Tenable Fedora Linux Best Practices v2.0.0
4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
4.2.2.6 Ensure rsyslog imudp and imrelp aren't loaded.	Unix	CIS Amazon Linux 2 STIG v1.0.0 L3
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'	Windows	CIS IE 10 v1.1.0
5.3 Set 'Check for signatures on downloaded programs' to 'Enabled'	Windows	CIS IE 11 v1.0.0
5.3.30 Ensure SSH does not permit GSSAPI - GSSAPI authentication unless needed.	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.3.31 Ensure SSH does not permit Kerberos authentication	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
5.5 Set 'Check for signatures on downloaded programs' to 'Enabled'	Windows	CIS IE 9 v1.0.0
5.5.9 Ensure local interactive user accounts umask is 077	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
6.1.1 Audit system file permissions	Unix	CIS Red Hat Enterprise Linux 7 STIG v2.0.0 STIG
8.10 Set 'Security Zones: Do not allow users to change policies' to 'Enabled'	Windows	CIS IE 9 v1.0.0
8.11 Set 'Security Zones: Do not allow users to change policies' to 'Enabled'	Windows	CIS IE 11 v1.0.0
8.11 Set 'Security Zones: Do not allow users to change policies' to 'Enabled'	Windows	CIS IE 10 v1.1.0
8.11 Set 'Security Zones: Use only machine settings' to 'Enabled'	Windows	CIS IE 9 v1.0.0
8.13 Set 'Security Zones: Use only machine settings' to 'Enabled'	Windows	CIS IE 10 v1.1.0
8.13 Set 'Security Zones: Use only machine settings' to 'Enabled'	Windows	CIS IE 11 v1.0.0
AADC-CL-000840 - Adobe Acrobat Pro DC Classic privileged file and folder locations must be disabled.	Windows	DISA STIG Adobe Acrobat Pro DC Classic Track v1r3
AADC-CL-000840 - Adobe Acrobat Pro DC Classic privileged file and folder locations must be disabled.	Windows	DISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CL-001280 - Adobe Acrobat Pro DC Classic Default Handler changes must be disabled.	Windows	DISA STIG Adobe Acrobat Pro DC Classic Track v1r3
AADC-CL-001280 - Adobe Acrobat Pro DC Classic Default Handler changes must be disabled.	Windows	DISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CL-001325 - Adobe Acrobat Pro DC Classic privileged host locations must be disabled.	Windows	DISA STIG Adobe Acrobat Pro DC Classic Track v2r1
AADC-CL-001325 - Adobe Acrobat Pro DC Classic privileged host locations must be disabled.	Windows	DISA STIG Adobe Acrobat Pro DC Classic Track v1r3
AADC-CN-000840 - Adobe Acrobat Pro DC Continuous privileged file and folder locations must be disabled.	Windows	DISA STIG Adobe Acrobat Pro DC Continuous Track v2r1
AADC-CN-000840 - Adobe Acrobat Pro DC Continuous privileged file and folder locations must be disabled.	Windows	DISA STIG Adobe Acrobat Pro DC Continuous Track v1r2
AADC-CN-001280 - Adobe Acrobat Pro DC Continuous Default Handler changes must be disabled.	Windows	DISA STIG Adobe Acrobat Pro DC Continuous Track v2r1

Detections

Analytics