CMMC Level 2 Control CM.L2-3.4.5: Access Restrictions for Change
Access restrictions for change management protect your organization's systems from unauthorized modifications that could introduce vulnerabilities. This CMMC Level 2 control requires you to define, document, approve, and enforce both physical and logical access controls throughout your change process. Without proper restrictions, attackers can exploit change windows to compromise your infrastructure.
What this means
This control mandates that your organization establish and maintain documented policies restricting who can make changes to information systems. You must enforce approval workflows before changes are implemented, control physical access to systems during modifications, and restrict logical access based on role and need-to-know. The control applies to all system changes—whether hardware, software, configuration, or procedural—and requires documented evidence of restrictions and approvals.
How to comply
- 1.Document a change management policy that defines access restrictions for physical and logical system modifications
- 2.Establish an approval workflow requiring authorization from designated personnel before implementing any changes
- 3.Implement role-based access controls limiting who can execute changes based on job function and responsibilities
- 4.Maintain an audit trail documenting all change requests, approvals, denials, and implementations
- 5.Restrict physical access to systems during maintenance or updates through badges, locks, or personnel monitoring
- 6.Define and enforce logical access restrictions such as sudo privileges, change scripts, or admin account limitations
- 7.Review and update access restrictions quarterly or whenever organizational roles or systems change
- 8.Train personnel on the change management process and their specific responsibilities within it
Evidence auditors look for
- Change management policy document with defined access restriction requirements
- Change request forms showing approval signatures from authorized personnel
- Access control lists (ACLs) or role-based access control (RBAC) configurations limiting change execution
- System logs demonstrating audit trails of change approvals and implementations
- Physical access logs or badge reader records during system maintenance windows
- Sudo audit logs or privileged access management (PAM) records for logical changes
- Change denial records showing enforcement of restrictions
- Training records for personnel involved in change management processes
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates change request workflows with built-in approval routing and audit logging, eliminating manual tracking and ensuring every system change is documented, approved, and traceable for your CMMC assessor.
See how GRCWatch handles this control automatically
Start free trial