03.04.05 —
What this control requires
Source: NIST SP 800-171 R3 §03.04.05 (official control text).
Why this matters
Unauthorized or unqualified changes to systems can introduce vulnerabilities, break security controls, or cause outages that expose CUI. This control ensures only trained, authorized personnel can modify production systems, configurations, or firmware. It protects against insider threats, accidental misconfigurations, and malicious tampering by enforcing both logical access controls (who can push changes) and procedural guardrails (approval workflows, change windows). Without these restrictions, a single unauthorized change can undermine an entire security posture, making this a foundational configuration management defense.
What evidence assessors expect
Assessors typically look for: PDF, screenshot, CSV export, photo. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.04.05.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →