In this Episode 5 of my Configuration Management (CM) series, I break down NIST SP 800-53 Rev. 5 CM-5: Access Restriction for Change. The whole point of CM-5 is simple: I need to clearly define, document, approve, and enforce who can make changes to the system and its documentation—both physically (hardware access) and logically (software, configuration files, audit files, and related system components). I also explain why this matters: changes to hardware, software, firmware, or even operational procedures can have a significant impact on system security (and potentially privacy), so only qualified and authorized individuals should be allowed to initiate changes. I walk through the control discussion and highlight how CM-5 ties into access enforcement (AC-3) and physical access control (PE-3). I also touch on practical implementation ideas like change windows (patch/maintenance cycles) and using tools like Tripwire to help track integrity and detect unauthorized modifications. Then I cover the control enhancements at a high level—like dual authorization for implementing changes and privilege limitation for production/operations and software libraries. Finally, I give you a straightforward assessment approach: review policies/procedures, interview key personnel (admins, ISSO, CCB members), and examine change management records to confirm access restrictions were enforced, only authorized personnel made changes, and everything was logged and documented through your ticketing process.