Thanks in advance for your answers. At our company, Information Assurance/cyber have placed the ISSE role in their organization. With separation of duties, Change Management, and RBAC, shouldn't IT be making system configuration changes, but the ISSM is requesting that the ISSE have access to make changed in Active Directory, Group Policy, and SUDO in Linux. According to the JSIG/RMF the ISO "appoints" the ISSE and IASAE. How is it at your organization?