NIST SP 800-171
Control 3.4.5
Define and Enforce Physical and Logical Access Restrictions for Changes
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational information systems.
What This Means in Plain English
Only authorized personnel should be able to make changes to your systems, both physically and logically. This means restricting who can access server rooms, admin consoles, and configuration interfaces.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Role-based access to system administration tools restricted to approved change implementers
- Physical access to server rooms restricted via badge access with logging
- FortiGate management interface restricted to specific admin workstations and IP addresses
- Microsoft Entra PIM requiring role activation before infrastructure changes
- ComplianceArmor maintaining the list of authorized change implementers per system
Assessment Guidance
Assessors will verify that only authorized personnel have access to make system changes, test that physical access to infrastructure is restricted and logged, review the list of authorized change implementers, and check that management interfaces are restricted to approved sources.
Common Implementation Gaps
- Broad admin access allowing anyone in IT to make system changes
- Server room accessible without badge access or logging
- Management interfaces accessible from any network location
- No documentation of who is authorized to make specific changes
- Physical access not logged for server rooms and wiring closets
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | CM-5 |
| PCI DSS | Req 6.4 - Follow change control processes |
Need Help Implementing 3.4.5?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment