The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the access control policy and associated access controls; and Reviews and updates the current: Access control policy [Assignment:…
The organization: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; Assigns account managers for information system accounts; Establishes conditions for group and role membership; Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other…
The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.
The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].
The organization: Separates [Assignment: organization-defined duties of individuals]; Documents separation of duties of individuals; and Defines information system access authorizations to support separation of duties.
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
The information system: Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the…
The information system: Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: Users are accessing a U.S. Government information system; Information system usage may be…
The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).
The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].
The information system: Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and Retains the session lock until the user reestablishes access using established identification and authentication procedures.
The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].
The organization: Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.
The organization: Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission; Ensures that the security attribute associations are made and retained with the information; Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and Determines…
The organization: Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and Authorizes remote access to the information system prior to allowing such connections.
The organization: Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and Authorizes wireless access to the information system prior to allowing such connections.
The organization: Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and Authorizes the connection of mobile devices to organizational information systems.
The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: Access the information system from external information systems; and Process, store, or transmit organization-controlled information using external information systems.
The organization: Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.
The organization: Designates individuals authorized to post information onto a publicly accessible information system; Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and Reviews the content…
The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining.
The organization establishes procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.
The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.