PR.AC: Identity Management, Authentication and Access Control

Description

Access to physical and logical assets and associated facilities is limited to authorized users, processes, and devices, and is managed consistent with the assessed risk of unauthorized access to authorized activities and transactions.

Framework Subcategories

PR.AC-1: Identities and credentials are issued, managed, verified, revoked, and audited for authorized devices, users and processes

[csf.tools Note: Subcategories do not have detailed descriptions.]

PR.AC-2: Physical access to assets is managed and protected

[csf.tools Note: Subcategories do not have detailed descriptions.]

PR.AC-3: Remote access is managed

[csf.tools Note: Subcategories do not have detailed descriptions.]

PR.AC-4: Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties

[csf.tools Note: Subcategories do not have detailed descriptions.]

PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)

[csf.tools Note: Subcategories do not have detailed descriptions.]

PR.AC-6: Identities are proofed and bound to credentials and asserted in interactions

[csf.tools Note: Subcategories do not have detailed descriptions.]

PR.AC-7: Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)

[csf.tools Note: Subcategories do not have detailed descriptions.]