AC: Access Control

Controls

AC-1: Access Control Policy And Procedures

Baseline(s):

  • Low
  • Moderate
  • High

The organization: Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]: An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Procedures to facilitate the implementation of the access control policy and associated access controls; and Reviews and updates the current: Access control policy [Assignment:…

AC-2: Account Management

Baseline(s):

  • Low
  • Moderate
  • High

The organization: Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; Assigns account managers for information system accounts; Establishes conditions for group and role membership; Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other…

AC-3: Access Enforcement

Baseline(s):

  • Low
  • Moderate
  • High

The information system enforces approved authorizations for logical access to information and system resources in accordance with applicable access control policies.

AC-4: Information Flow Enforcement

Baseline(s):

  • Moderate
  • High

The information system enforces approved authorizations for controlling the flow of information within the system and between interconnected systems based on [Assignment: organization-defined information flow control policies].

AC-5: Separation Of Duties

Baseline(s):

  • Moderate
  • High

The organization: Separates [Assignment: organization-defined duties of individuals]; Documents separation of duties of individuals; and Defines information system access authorizations to support separation of duties.

AC-6: Least Privilege

Baseline(s):

  • Moderate
  • High

The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

AC-7: Unsuccessful Logon Attempts

Baseline(s):

  • Low
  • Moderate
  • High

The information system: Enforces a limit of [Assignment: organization-defined number] consecutive invalid logon attempts by a user during a [Assignment: organization-defined time period]; and Automatically [Selection: locks the account/node for an [Assignment: organization-defined time period]; locks the account/node until released by an administrator; delays next logon prompt according to [Assignment: organization-defined delay algorithm]] when the…

AC-8: System Use Notification

Baseline(s):

  • Low
  • Moderate
  • High

The information system: Displays to users [Assignment: organization-defined system use notification message or banner] before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance and states that: Users are accessing a U.S. Government information system; Information system usage may be…

AC-9: Previous Logon (Access) Notification

Baseline(s):

(Not part of any baseline)

The information system notifies the user, upon successful logon (access) to the system, of the date and time of the last logon (access).

AC-10: Concurrent Session Control

Baseline(s):

  • High

The information system limits the number of concurrent sessions for each [Assignment: organization-defined account and/or account type] to [Assignment: organization-defined number].

AC-11: Session Lock

Baseline(s):

  • Moderate
  • High

The information system: Prevents further access to the system by initiating a session lock after [Assignment: organization-defined time period] of inactivity or upon receiving a request from a user; and Retains the session lock until the user reestablishes access using established identification and authentication procedures.

AC-12: Session Termination

Baseline(s):

  • Moderate
  • High

The information system automatically terminates a user session after [Assignment: organization-defined conditions or trigger events requiring session disconnect].

AC-14: Permitted Actions Without Identification Or Authentication

Baseline(s):

  • Low
  • Moderate
  • High

The organization: Identifies [Assignment: organization-defined user actions] that can be performed on the information system without identification or authentication consistent with organizational missions/business functions; and Documents and provides supporting rationale in the security plan for the information system, user actions not requiring identification or authentication.

AC-16: Security Attributes

Baseline(s):

(Not part of any baseline)

The organization: Provides the means to associate [Assignment: organization-defined types of security attributes] having [Assignment: organization-defined security attribute values] with information in storage, in process, and/or in transmission; Ensures that the security attribute associations are made and retained with the information; Establishes the permitted [Assignment: organization-defined security attributes] for [Assignment: organization-defined information systems]; and Determines…

AC-17: Remote Access

Baseline(s):

  • Low
  • Moderate
  • High

The organization: Establishes and documents usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed; and Authorizes remote access to the information system prior to allowing such connections.

AC-18: Wireless Access

Baseline(s):

  • Low
  • Moderate
  • High

The organization: Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and Authorizes wireless access to the information system prior to allowing such connections.

AC-19: Access Control For Mobile Devices

Baseline(s):

  • Low
  • Moderate
  • High

The organization: Establishes usage restrictions, configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices; and Authorizes the connection of mobile devices to organizational information systems.

AC-20: Use Of External Information Systems

Baseline(s):

  • Low
  • Moderate
  • High

The organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to: Access the information system from external information systems; and Process, store, or transmit organization-controlled information using external information systems.

AC-21: Information Sharing

Baseline(s):

  • Moderate
  • High

The organization: Facilitates information sharing by enabling authorized users to determine whether access authorizations assigned to the sharing partner match the access restrictions on the information for [Assignment: organization-defined information sharing circumstances where user discretion is required]; and Employs [Assignment: organization-defined automated mechanisms or manual processes] to assist users in making information sharing/collaboration decisions.

AC-22: Publicly Accessible Content

Baseline(s):

  • Low
  • Moderate
  • High

The organization: Designates individuals authorized to post information onto a publicly accessible information system; Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information; Reviews the proposed content of information prior to posting onto the publicly accessible information system to ensure that nonpublic information is not included; and Reviews the content…

AC-23: Data Mining Protection

Baseline(s):

(Not part of any baseline)

The organization employs [Assignment: organization-defined data mining prevention and detection techniques] for [Assignment: organization-defined data storage objects] to adequately detect and protect against data mining.

AC-24: Access Control Decisions

Baseline(s):

(Not part of any baseline)

The organization establishes procedures to ensure [Assignment: organization-defined access control decisions] are applied to each access request prior to access enforcement.

AC-25: Reference Monitor

Baseline(s):

(Not part of any baseline)

The information system implements a reference monitor for [Assignment: organization-defined access control policies] that is tamperproof, always invoked, and small enough to be subject to analysis and testing, the completeness of which can be assured.