CMMC 1.0 Practice CM.3.067 Requirement:
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.
CMMC 1.0 CM.3.067 Requirement Explanation:
By documenting who can deploy changes to your systems and when they can be deployed you protect the security of your systems. Only approved personnel are allowed to carry out approved changes at approved times. These personnel are granted the physical and logical access needed to carry out these changes.
Example CMMC 1.0 CM.3.067 Implementation:
Create a list of authorized personnel who may implement changes on your systems. Examples include documenting who is responsible for deploying software updates to workstations. Document their physical access restrictions (e.g., server room access) and logical access (e.g. which systems they are permitted to log into). Define the times and dates when changes to your system may be deployed. An example is restricting the deployment of software updates to Fridays after 6:00 PM.
CMMC 1.0 CM.3.067 Scenario(s):
- Scenario 1:
Alice is responsible for deploying operating system updates. She has successfully tested her operating system updates. She then receives approval from management to deploy them during the documented "change window". IT standard operating procedures state that operating system updates may only be deployed on the last Friday of the month between 5:00 PM and 8:00 PM.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you