NIST 800-171 3.4.5: Access Restrictions for Change
Change management without proper access controls is a security liability. NIST 800-171 3.4.5 requires organizations to define, document, approve, and enforce both physical and logical access restrictions whenever systems undergo modifications. For SMBs handling controlled unclassified information, this control bridges change management and access governance to prevent unauthorized alterations.
What this means
This control mandates a formal process for restricting who can make changes to organizational systems—and where those changes can be made. You must document which personnel, roles, or systems have permission to modify critical assets, require documented approval before changes occur, and enforce those restrictions through technical controls (role-based access, code review tools) and procedural safeguards (locked server rooms, change boards). The intent is to ensure that system modifications only happen through authorized channels with proper oversight.
How to comply
- 1.Identify all systems subject to change management and categorize by sensitivity and criticality.
- 2.Define access roles (developer, reviewer, approver, operator) and document which roles can modify each system component.
- 3.Establish a change approval process requiring documented authorization before any modification is deployed.
- 4.Implement logical controls (branch protection, code signing, MFA for administrative access) to enforce access restrictions.
- 5.Secure physical access to servers, network equipment, and other hardware that could be modified (locks, badges, visitor logs).
- 6.Document all approved changes and maintain an audit trail of who made what modifications and when.
- 7.Review and update access restrictions quarterly or when roles, personnel, or system architecture changes.
- 8.Train staff on the change process and access policies to ensure consistent compliance.
Evidence auditors look for
- Change management policy documenting roles, approval workflows, and access restrictions for each system tier.
- Role-based access control (RBAC) configuration showing developer, reviewer, and approver permissions.
- Git/code repository logs showing branch protection rules, required code review, and merge approvals.
- Multi-factor authentication (MFA) enrollment records for privileged system administrators.
- Physical access control records (badge logs, door lock audits) for server rooms and data centers.
- Change request forms with approval signatures and timestamps for the past 12 months.
- Audit logs from configuration management tools (Terraform, Ansible, Chef) showing who deployed each change.
- Incident reports documenting any unauthorized change attempts and remediation actions.
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates access restriction tracking and change approval workflows, logging every modification with role-based permissions and generating audit trails that directly satisfy NIST 800-171 3.4.5 documentation requirements without manual spreadsheets.
See how GRCWatch handles this control automatically
Start free trial