Control Family:
Access Control
CSF v1.1 References:
- PR.AC-4
- PR.PT-3
CSF v2.0 References:
- PR.AA-05
- PR.DS-10
- PR.IR-01
PF v1.0 References:
- CT.PO-P2
- CT.PO-P3
- CT.DM-P1
- CT.DM-P2
- CT.DM-P3
- CT.DM-P4
- PR.AC-P4
- PR.PT-P2
Threats Addressed:
- Tampering
- Information Disclosure
- Elevation of Privilege
Baselines:
Low
- AC-3
Moderate
- AC-3
High
See AlsoSchütze für AC4 AnwendungenSchütze für AC1 AnwendungenAntinukleäre Antikörper: Was sie Ihnen verraten – und was nichtSchütze für AC3 Anwendungen- AC-3
Privacy
- AC-3(14)
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- AC-3: Access Enforcement
Control Statement
Enforce approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
Supplemental Guidance
Access control policies control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (i.e., devices, files, records, domains) in organizational systems. In addition to enforcing authorized access at the system level and recognizing that systems can host many applications and services in support of mission and business functions, access enforcement mechanisms can also be employed at the application and service level to provide increased information security and privacy. In contrast to logical access controls that are implemented within the system, physical access controls are addressed by the controls in the Physical and Environmental Protection (PE) family.
Control Enhancements
AC-3(2): Dual Authorization
Baseline(s):
(Not part of any baseline)
Enforce dual authorization for [Assignment: organization-defined privileged commands and/or other organization-defined actions].
AC-3(3): Mandatory Access Control
Baseline(s):
(Not part of any baseline)
Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy, and where the policy: Is uniformly enforced across the covered subjects and objects within the system; Specifies that a subject that has been granted access to information is constrained from doing any of the following; Passing…
AC-3(4): Discretionary Access Control
Baseline(s):
(Not part of any baseline)
Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy, and where the policy specifies that a subject that has been granted access to information can do one or more of the following: Pass the information to any other subjects or objects; Grant its privileges to…
AC-3(5): Security-relevant Information
Baseline(s):
(Not part of any baseline)
Prevent access to [Assignment: organization-defined security-relevant information] except during secure, non-operable system states.
AC-3(7): Role-based Access Control
Baseline(s):
(Not part of any baseline)
Enforce a role-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined roles and users authorized to assume such roles].
AC-3(8): Revocation of Access Authorizations
Baseline(s):
(Not part of any baseline)
Enforce the revocation of access authorizations resulting from changes to the security attributes of subjects and objects based on [Assignment: organization-defined rules governing the timing of revocations of access authorizations].
AC-3(9): Controlled Release
Baseline(s):
(Not part of any baseline)
Release information outside of the system only if: The receiving [Assignment: organization-defined system or system component] provides [Assignment: organization-defined controls]; and [Assignment: organization-defined controls] are used to validate the appropriateness of the information designated for release.
AC-3(10): Audited Override of Access Control Mechanisms
Baseline(s):
(Not part of any baseline)
Employ an audited override of automated access control mechanisms under [Assignment: organization-defined conditions] by [Assignment: organization-defined roles].
AC-3(11): Restrict Access to Specific Information Types
Baseline(s):
(Not part of any baseline)
Restrict access to data repositories containing [Assignment: organization-defined information types].
AC-3(12): Assert and Enforce Application Access
Baseline(s):
(Not part of any baseline)
Require applications to assert, as part of the installation process, the access needed to the following system applications and functions: [Assignment: organization-defined system applications and functions]; Provide an enforcement mechanism to prevent unauthorized access; and Approve access changes after initial installation of the application.
AC-3(13): Attribute-based Access Control
Baseline(s):
(Not part of any baseline)
Enforce attribute-based access control policy over defined subjects and objects and control access based upon [Assignment: organization-defined attributes to assume access permissions].
AC-3(14): Individual Access
Baseline(s):
- Privacy
Provide [Assignment: organization-defined mechanisms] to enable individuals to have access to the following elements of their personally identifiable information: [Assignment: organization-defined elements].
AC-3(15): Discretionary and Mandatory Access Control
Baseline(s):
(Not part of any baseline)
Enforce [Assignment: organization-defined mandatory access control policy] over the set of covered subjects and objects specified in the policy; and Enforce [Assignment: organization-defined discretionary access control policy] over the set of covered subjects and objects specified in the policy.
NIST Special Publication 800-53 Revision 5
- AC-2: Account Management
- AC-4: Information Flow Enforcement
- AC-5: Separation of Duties
- AC-6: Least Privilege
- AC-16: Security and Privacy Attributes
- AC-17: Remote Access
- AC-18: Wireless Access
- AC-19: Access Control for Mobile Devices
- AC-20: Use of External Systems
- AC-21: Information Sharing
- AC-22: Publicly Accessible Content
- AC-24: Access Control Decisions
- AC-25: Reference Monitor
- AT-2: Literacy Training and Awareness
- AT-3: Role-based Training
- AU-2: Event Logging
- AU-6: Audit Record Review, Analysis, and Reporting
- AU-9: Protection of Audit Information
- AU-10: Non-repudiation
- AU-12: Audit Record Generation
- AU-14: Session Audit
- CA-3: Information Exchange
- CA-9: Internal System Connections
- CM-5: Access Restrictions for Change
- CM-6: Configuration Settings
- CM-7: Least Functionality
- CM-8: System Component Inventory
- CM-11: User-installed Software
- CM-12: Information Location
- CM-13: Data Action Mapping
- CP-9: System Backup
- IA-2: Identification and Authentication (organizational Users)
- IA-5: Authenticator Management
- IA-6: Authentication Feedback
- IA-7: Cryptographic Module Authentication
- IA-8: Identification and Authentication (non-organizational Users)
- IA-11: Re-authentication
- MA-3: Maintenance Tools
- MA-4: Nonlocal Maintenance
- MA-5: Maintenance Personnel
- MP-4: Media Storage
- MP-6: Media Sanitization
- PM-2: Information Security Program Leadership Role
- PM-5: System Inventory
- PM-20: Dissemination of Privacy Program Information
- PM-21: Accounting of Disclosures
- PM-22: Personally Identifiable Information Quality Management
- PS-3: Personnel Screening
- PT-2: Authority to Process Personally Identifiable Information
- PT-3: Personally Identifiable Information Processing Purposes
- PT-7: Specific Categories of Personally Identifiable Information
- PT-8: Computer Matching Requirements
- SA-9: External System Services
- SA-17: Developer Security and Privacy Architecture and Design
- SC-2: Separation of System and User Functionality
- SC-3: Security Function Isolation
- SC-4: Information in Shared System Resources
- SC-7: Boundary Protection
- SC-12: Cryptographic Key Establishment and Management
- SC-13: Cryptographic Protection
- SC-16: Transmission of Security and Privacy Attributes
- SC-28: Protection of Information at Rest
- SC-31: Covert Channel Analysis
- SC-34: Non-modifiable Executable Programs
- SC-39: Process Isolation
- SI-4: System Monitoring
- SI-8: Spam Protection
Cloud Controls Matrix v4.0
- IAM-02: Strong Password Policy and Procedures
- IAM-06: User Access Provisioning
- IAM-07: User Access Changes and Revocation
- IAM-09: Segregation of Privileged Access Roles
- IAM-10: Management of Privileged Access Roles
- IAM-13: Uniquely Identifiable Users
- IAM-16: Authorization Mechanisms
Critical Security Controls Version 8
- 3.3: Configure Data Access Control Lists
- 6.7: Centralize Access Control
Cloud Controls Matrix v3.0.1
- DSI-06: Ownership / Stewardship
- IAM-02: Credential Lifecycle / Provision Management
- IAM-03: Diagnostic / Configuration Ports Access
- IAM-06: Source Code Access Restriction
- IAM-09: User Access Authorization
- IAM-12: User ID Credentials
- IVS-11: Hypervisor Hardening
Critical Security Controls Version 7.1
- 14.6: Protect Information Through Access Control Lists
