CM.L2-3.4.5 — Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

What this control requires

Define, document, approve, and enforce physical and logical access restrictions associated with changes to organizational systems.

Source: CMMC L2 v2.13 CM.L2-3.4.5 / NIST SP 800-171 R2 3.4.5 (official control text).

Why this matters

This control prevents unauthorized people from modifying production systems, applications, or infrastructure. When anyone can push code, install software, or reconfigure servers, you lose accountability and invite sabotage, accidental breakage, or malicious backdoors. Restricting who can make changes—and logging every change—creates an audit trail, reduces blast radius from mistakes, and ensures only trained personnel touch critical systems. This protects operational continuity, data integrity, and prevents insider threats or compromised accounts from altering your security posture.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, CSV export, photo. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls