CMMC 1.0 Practice CM.3.067 Requirement:

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

CMMC 1.0 CM.3.067 Requirement Explanation:

By documenting who can deploy changes to your systems and when they can be deployed you protect the security of your systems. Only approved personnel are allowed to carry out approved changes at approved times. These personnel are granted the physical and logical access needed to carry out these changes.

Example CMMC 1.0 CM.3.067 Implementation:

Create a list of authorized personnel who may implement changes on your systems. Examples include documenting who is responsible for deploying software updates to workstations. Document their physical access restrictions (e.g., server room access) and logical access (e.g. which systems they are permitted to log into). Define the times and dates when changes to your system may be deployed. An example is restricting the deployment of software updates to Fridays after 6:00 PM.

CMMC 1.0 CM.3.067 Scenario(s):

- Scenario 1:

Alice is responsible for deploying operating system updates. She has successfully tested her operating system updates. She then receives approval from management to deploy them during the documented "change window". IT standard operating procedures state that operating system updates may only be deployed on the last Friday of the month between 5:00 PM and 8:00 PM.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.