CM-05 (06) Access Restrictions for Change - Limit Library Privileges
Introduction
This document describes how Private Mendix Platform fulfills the CM-05 (06) control.
| Control ID | CM-05 (06) |
|---|---|
| Control category | CM - Configuration Management |
| Requirement baseline | IL5 |
| Responsibility and ownership | Customer - Infra, Customer - Org |
Control
The organization limits privileges to change software resident within software libraries.
Supplemental Guidance
Software libraries include privileged programs.
The following controls are related to this control:
- AC-02
Responsibility
Customer Responsibility
The customer is responsible for implementing this control in an appropriate manner in their organization. This includes defining and enforcing privilege limitations for all changes to software resident within software libraries to ensure compliance with federal requirements. The customer must ensure that access controls for software libraries, including privileged programs, are documented, reviewed, and enforced within their environment.
Guidance
Customer Responsibility
This control is governed by NIST SP 800-53 Rev 4 and FIPS 200, which establish requirements for limiting privileges to modify software within software libraries, including privileged programs. Customers operating within a FedRAMP or DoD SRG environment must ensure that only authorized personnel can change software in libraries, and that these privilege limitations are consistently enforced.
To meet these requirements, the customer must carry out the following actions:
-
Define software library privilege policies.
The customer must define who is allowed to make changes to software libraries and components, and under what conditions. This includes establishing role-based access controls for software repositories, package registries, and deployment artifacts in accordance with NIST SP 800-53 Rev 4 AC-2 account management requirements.
-
Enforce privilege restrictions across all parties.
The Infra Implementer, App Implementer, Infra Operator, and App Operator must respect the customer's privilege limitations throughout the lifecycle of the solution. This includes implementing technical controls such as repository branch protections, code signing requirements, and deployment pipeline restrictions that prevent unauthorized modifications to software libraries.
-
Review and audit library access privileges.
The customer must periodically review and audit access privileges to software libraries to ensure compliance with the defined policies. This includes maintaining records of who has write access to software libraries, reviewing privilege assignments at organization-defined frequencies, and revoking unnecessary access in alignment with least privilege principles, as described in NIST SP 800-53 AC-06.