CMMC Level 2 practice 3.4.5, derived from NIST SP 800-171 Rev 2 requirement 3.4.5, mandates that organizations define, document, approve, and enforce access restrictions for all changes made to their information systems. Physical access restrictions govern who may physically interact with hardware, network equipment, and server infrastructure in the context of making configuration changes. Logical access restrictions govern who may authenticate to systems and execute software-based configuration changes, including administrative commands, software deployments, and system settings modifications. Both categories of restriction must be explicitly scoped, recorded in authoritative policy or procedural documents, authorized through a formal approval process, and actively implemented through technical and administrative controls. This practice extends the baseline configuration established under 3.4.2 by ensuring that modifications to that baseline are tightly controlled at both the physical and logical layer.
Where it stops · what it isn't
- —This practice does not govern general user access to CUI or business applications — it is scoped specifically to access that enables configuration changes to the system.
- —It does not replace or duplicate Access Control domain requirements (AC 3.1.x) for routine user authentication and authorization; it addresses the change-management-specific access control layer.
- —It does not define the change management workflow itself (e.g., ticketing, approvals for changes) — it defines who is permitted to physically or logically execute approved changes.
- —It does not address audit logging of changes, which is covered under the Audit and Accountability domain (AU 3.3.x), though access restrictions here support that audit capability.
- —It does not cover access restrictions for read-only system monitoring or inspection activities that do not alter system configurations.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.