CMMC Practice Requirement:

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

CMMC Requirement Explanation:

By documenting who can deploy changes to your systems and when they can be deployed you protect the security of your systems. Only approved personnel are allowed to carry out approved changes at approved times. These personnel are granted the physical and logical access needed to carry out these changes.

Example CMMC Implementation:

Create a list of authorized personnel who may implement changes on your systems. Examples include documenting who is responsible for deploying software updates to workstations. Document their physical access restrictions (e.g., server room access) and logical access (e.g. which systems they are permitted to log into). Define the times and dates when changes to your system may be deployed. An example is restricting the deployment of software updates to Fridays after 6:00 PM.


- Scenario 1:

Alice is responsible for deploying operating system updates. She has successfully tested her operating system updates. She then receives approval from management to deploy them during the documented "change window". IT standard operating procedures state that operating system updates may only be deployed on the last Friday of the month between 5:00 PM and 8:00 PM.

Discover Our NIST SP 800-171 Solutions:


Compliance Accelerator

For contractors seeking compliance

Quantum Assessor

For IT service providers

Supply Chain Verifier

For contractors seeking to verify partner compliance