AC-2(12): Account Monitoring / Atypical Usage

Control Family:

Access Control


  • High

Next Version:

Control Statement

The organization:

  1. Monitors information system accounts for [Assignment: organization-defined atypical usage]; and
  2. Reports atypical usage of information system accounts to [Assignment: organization-defined personnel or roles].

Supplemental Guidance

Atypical usage includes, for example, accessing information systems at certain times of the day and from locations that are not consistent with the normal usage patterns of individuals working in organizations.