Skip to main content
MuonPartners
Services
Architecture

Solution design and technology roadmapping

Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security

Security assessments, IAM, and compliance

AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform

Network architecture and cloud platforms

Network DesignCloud StrategyModernisation
Enterprise Architecture

Business-technology alignment

Business AlignmentPortfolio AnalysisGovernance
View all services
ProjectsCase StudiesInsightsToolsAbout
Contact Us

Services

Architecture
Solution AssessmentTechnology RoadmapsIntegration DesignSolution ArchitectureTechnical Design
Cyber Security
AssessmentsIAMComplianceSecurity BaselineCyber Innovation
Network and Platform
Network DesignCloud StrategyModernisation
Enterprise Architecture
Business AlignmentPortfolio AnalysisGovernance
ProjectsCase StudiesInsightsToolsAboutContact
Get in Touch
MuonPartners

Strategic technology consulting for Australian organisations navigating complexity.

Services

  • Architecture
  • Cyber Security
  • Network and Platform
  • Enterprise Architecture

Company

  • About
  • Products
  • Frameworks
  • Cross-Framework Mapping
  • Projects
  • Case Studies
  • Insights
  • Contact

Contact

  • [email protected]
  • Australia
  • LinkedIn

© 2026 Muon Partners. All rights reserved.

ABN 50 669 022 315 · A Muon Group company.

Privacy PolicyTerms of Service
  1. Frameworks
  2. >SP 800-53
  3. >Configuration Management
  4. >SP800-53-CM-5(4)
SP800-53-CM-5(4)Active

Dual Authorization

Statement

Enforce dual authorization for implementing changes to system components; system-level information.

Location

Control Family
Configuration Management

Control Details

Identifier
SP800-53-CM-5(4)
Family
CM
Parent Control
SP800-53-CM-5

Organisation-Defined Parameters

cm-05.04_odp.01
system components
cm-05.04_odp.02
system-level information

Supplemental Guidance

Organizations employ dual authorization to help ensure that any changes to selected system components and information cannot occur unless two qualified individuals approve and implement such changes. The two individuals possess the skills and expertise to determine if the proposed changes are correct implementations of approved changes. The individuals are also accountable for the changes. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals. System-level information includes operational procedures.

Assessment Objective

dual authorization for implementing changes to system components is enforced; dual authorization for implementing changes to system-level information is enforced.

No cross-framework mappings available

← Back to Configuration Management
Configuration Management66 controls
SP800-53-CM-1Policy and ProceduresSP800-53-CM-2Baseline ConfigurationSP800-53-CM-2(1)Reviews and UpdatesSP800-53-CM-2(2)Automation Support for Accuracy and CurrencySP800-53-CM-2(3)Retention of Previous ConfigurationsSP800-53-CM-2(4)Unauthorized SoftwareSP800-53-CM-2(5)Authorized SoftwareSP800-53-CM-2(6)Development and Test EnvironmentsSP800-53-CM-2(7)Configure Systems and Components for High-risk AreasSP800-53-CM-3Configuration Change ControlSP800-53-CM-3(1)Automated Documentation, Notification, and Prohibition of ChangesSP800-53-CM-3(2)Testing, Validation, and Documentation of ChangesSP800-53-CM-3(3)Automated Change ImplementationSP800-53-CM-3(4)Security and Privacy RepresentativesSP800-53-CM-3(5)Automated Security ResponseSP800-53-CM-3(6)Cryptography ManagementSP800-53-CM-3(7)Review System ChangesSP800-53-CM-3(8)Prevent or Restrict Configuration ChangesSP800-53-CM-4Impact AnalysesSP800-53-CM-4(1)Separate Test EnvironmentsSP800-53-CM-4(2)Verification of ControlsSP800-53-CM-5Access Restrictions for ChangeSP800-53-CM-5(1)Automated Access Enforcement and Audit RecordsSP800-53-CM-5(2)Review System ChangesSP800-53-CM-5(3)Signed ComponentsSP800-53-CM-5(4)Dual AuthorizationSP800-53-CM-5(5)Privilege Limitation for Production and OperationSP800-53-CM-5(6)Limit Library PrivilegesSP800-53-CM-5(7)Automatic Implementation of Security SafeguardsSP800-53-CM-6Configuration SettingsSP800-53-CM-6(1)Automated Management, Application, and VerificationSP800-53-CM-6(2)Respond to Unauthorized ChangesSP800-53-CM-6(3)Unauthorized Change DetectionSP800-53-CM-6(4)Conformance DemonstrationSP800-53-CM-7Least FunctionalitySP800-53-CM-7(1)Periodic ReviewSP800-53-CM-7(2)Prevent Program ExecutionSP800-53-CM-7(3)Registration ComplianceSP800-53-CM-7(4)Unauthorized Software — Deny-by-exceptionSP800-53-CM-7(5)Authorized Software — Allow-by-exceptionSP800-53-CM-7(6)Confined Environments with Limited PrivilegesSP800-53-CM-7(7)Code Execution in Protected EnvironmentsSP800-53-CM-7(8)Binary or Machine Executable CodeSP800-53-CM-7(9)Prohibiting The Use of Unauthorized HardwareSP800-53-CM-8System Component InventorySP800-53-CM-8(1)Updates During Installation and RemovalSP800-53-CM-8(2)Automated MaintenanceSP800-53-CM-8(3)Automated Unauthorized Component DetectionSP800-53-CM-8(4)Accountability InformationSP800-53-CM-8(5)No Duplicate Accounting of ComponentsSP800-53-CM-8(6)Assessed Configurations and Approved DeviationsSP800-53-CM-8(7)Centralized RepositorySP800-53-CM-8(8)Automated Location TrackingSP800-53-CM-8(9)Assignment of Components to SystemsSP800-53-CM-9Configuration Management PlanSP800-53-CM-9(1)Assignment of ResponsibilitySP800-53-CM-10Software Usage RestrictionsSP800-53-CM-10(1)Open-source SoftwareSP800-53-CM-11User-installed SoftwareSP800-53-CM-11(1)Alerts for Unauthorized InstallationsSP800-53-CM-11(2)Software Installation with Privileged StatusSP800-53-CM-11(3)Automated Enforcement and MonitoringSP800-53-CM-12Information LocationSP800-53-CM-12(1)Automated Tools to Support Information LocationSP800-53-CM-13Data Action MappingSP800-53-CM-14Signed Components